-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/04/2011 12:23 PM, Wichert Akkerman wrote: > On 2011-4-4 18:22, Roger wrote: >> Hi Laurence, Stephan >> >> Just because you can write login forms with >> z3c.form this package has nothing to do with >> authentication. That's just a form framework! >> >> Authentication is defently not a part >> of our z3c.form framework and should not >> become one. >> >> Why do you think authentication has something >> to do with the z3c.form library? Did I miss >> something? > > CSRF has nothing to do with authentication. It has to do with securing > forms on websites.
Imagine that Alice Malice runs a site she tempts Bob Slob to visit while Bob is logged into your site with privileged credentials. Alice adds javascript to an apparently harmless page which "spoofs" submitting a form to your site on Bob's behalf, perhaps granting Alice extra permissions, or defacing your site. If your site uses CSRF-protected forms, then "real" forms will contain hidden field whose value is a "signature" (a hashed value known only to the server). The server generates the hash when it renders the form, and stores it in the authenticated user's session; when the form is submitted, the server checks that the hash is valid before processing the form. Because it has either a missing or an invalid hash, Alice's spoofed submission can be rejected. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2Z9XEACgkQ+gerLs4ltQ60XgCfdsFHMrONDJfLzk/1BNN+ovN9 1ksAn0zWEAnaod3Y3oDlvkCybds1ZMNA =2/zr -----END PGP SIGNATURE----- _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )