If there was a way of doing that, wouldn't it defeat the protection? Another thing, does the HDIV plugin have this already?
musachy On 7/31/07, Dale Newfield <[EMAIL PROTECTED]> wrote: > One incredibly annoying side effect of a solution like this: > Let's say you've got an active session for a web-app, and want to follow > a link to this same app either from another web site or from an email > client: The new request won't have the appropriate token, and thus will > not be able to connect to the current session, perhaps even invalidating > it! Can anyone suggest a solution that doesn't have this ugly side > effect, yet still protects against forgery? (If there is any entry > point that allows you to connect to the current session w/o supplying > the additional authentication token, the forger could request that page, > parse it to find the token, then submit an authenticated, forged request!) > > -Dale > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- "Hey you! Would you help me to carry the stone?" Pink Floyd --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
