If there was a way of doing that, wouldn't it defeat the protection?
Another thing, does the HDIV plugin have this already?

musachy

On 7/31/07, Dale Newfield <[EMAIL PROTECTED]> wrote:
> One incredibly annoying side effect of a solution like this:
> Let's say you've got an active session for a web-app, and want to follow
> a link to this same app either from another web site or from an email
> client:  The new request won't have the appropriate token, and thus will
> not be able to connect to the current session, perhaps even invalidating
> it!  Can anyone suggest a solution that doesn't have this ugly side
> effect, yet still protects against forgery?  (If there is any entry
> point that allows you to connect to the current session w/o supplying
> the additional authentication token, the forger could request that page,
> parse it to find the token, then submit an authenticated, forged request!)
>
> -Dale
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>


-- 
"Hey you! Would you help me to carry the stone?" Pink Floyd

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to