> While the token is ALSO used for double submit protection, it > also validates that the user got to your form the right way. > > i.e., if they don't go to page A and submit, their token > won't be valid.
Interesting ... Does the following use case break this? If a malicious user goes to page A and submits, gets page B with a valid token as a hidden form field. They then try to submit this valid token to some action X that should not be reachable from B. The synchronizer token would still let them access X because the request has a valid token. To prevent this we would have to store in the token which page it was associated with then check the form-token binding in each action. This gets back to each Action doing its own flow control which I'm wanting to avoid. Is this right or did I miss something? -Kam --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
