On Tue, Aug 20, 2013 at 11:42:42AM +0200, Koen Deforche wrote: > CSRF = Cross Site Request Forgery; that's already an attack.
Thanks Koen! My terminology was a bit sloppy. > That's close. It's even the case that Wt will ignore the session ID > (or refuse the request, I forget now what we actually do) if you would > put it in a URL for a page refresh. This is a second defense in Wt to > make a stolen session ID even useless. Again this all under the > assumption of an Ajax session. That's an interesting feature. I was not aware of that. It would certainly add a kink into any BREACH attack attempt. :-) Thanks again! - Chris ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ witty-interest mailing list witty-interest@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/witty-interest
