On Tue, Sep 7, 2010 at 3:46 AM, Evan Prodromou <[email protected]> wrote:
> On Sun, 2010-09-05 at 17:07 -0400, Craig Andrews wrote: > > As far as my understanding of CSRF goes, the username/password login > process isn't vulnerable to such as attack (because the user isn't logged > in yet, and it's not a target for malicious action, like posting a notice > would be). > > That's a good point. I don't know if you were around, but we had someone > do a CSRF attack on identi.ca prove that it could be done, and it was > really unpleasant (me and Zach stayed up all night patching forms in the > software to make sure it wouldn't happen again). > > I'm not excited about removing those tokens, but... it seems like less of a > big deal for login forms. > > I'd like to hear a third opinion, though, before you remove the code. > My understanding is that CSRF protection is not necessary on forms being filled out by anonymous users. I know that when we were dealing with this in Drupal we ended up only salting forms for logged in users. I think it's safe to remove from the login form. -- James Walker :: http://walkah.net/ :: http://james.status.net/
_______________________________________________ StatusNet-dev mailing list [email protected] http://lists.status.net/mailman/listinfo/statusnet-dev
