One incredibly annoying side effect of a solution like this:
Let's say you've got an active session for a web-app, and want to follow
a link to this same app either from another web site or from an email
client: The new request won't have the appropriate token, and thus will
not be able to connect to the current session, perhaps even invalidating
it! Can anyone suggest a solution that doesn't have this ugly side
effect, yet still protects against forgery? (If there is any entry
point that allows you to connect to the current session w/o supplying
the additional authentication token, the forger could request that page,
parse it to find the token, then submit an authenticated, forged request!)
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
