Yes - there is that possibility.
w
On Wed, 26 Jan 2005 11:58:23 -0500 "ckl" <[EMAIL PROTECTED]> wrote:
Interesting ... Does the following use case break this?
If a malicious user goes to page A and submits, gets page B with a valid
token as a hidden form field. They then try to submit this valid token to
some action X that should not be reachable from B. The synchronizer token
would still let them access X because the request has a valid token. To
prevent this we would have to store in the token which page it was
associated with then check the form-token binding in each action. This gets
back to each Action doing its own flow control which I'm wanting to avoid.
Is this right or did I miss something?
-Kam
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
