On Wednesday, August 5, 2015 at 11:50:32 AM UTC-4, José Borba wrote: > > Additionally, this[1] part of web2py book can help you too. > > ********************************* > > *... By default, Auth protects logins against cross-site request forgeries > (CSRF). This is actually provided by web2py's standard CSRF protection > whenever forms are generated in a session. However, under some > circumstances, the overhead of creating a session for login,password > request and reset attempts may be undesirable. DOS attacks are > theoretically possible. CSRF protection can be disabled for Auth forms (as > of v 2.6):* > *Auth = Auth(..., csrf_prevention = False)* > > *Note that doing this purely to avoid session overload on a busy site is > not recommended because of the introduced security risk. Instead, see the > Deployment chapter for advice on reducing session overheads.......* > > **************************** > > [1] - http://web2py.com/books/default/chapter/29/09/access-control >
Note, the above is not relevant in this case. web2py only employs CSRF protection with forms created via FORM and SQLFORM (including the Auth forms), but in this case, no Auth forms are being used, as basic auth is being used for login. In fact, with basic auth, CRSF protection is not relevant, as the login credentials are being passed on every request (yet, you don't want to set csrf_protection=False, in case you are still making the default Auth actions available, as they do rely on forms). Anthony -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
