[Owasp-csrfguard] question about per-page prevention tokens
Patrick Radtke
pradtke at stanford.edu
Wed Oct 19 18:33:59 EDT 2011
It is based on URI. The URI is the same regardless of query parameters.
On 10/17/11 10:07 AM, uh nonuhmes wrote:
> hi,
>
> i could be wrong, but it is my understanding that a unique per page
> token will only be generated based on the page name (eg, foo.htm,
> bar.jsp, yada.aspx, etc) but not on the page+params (eg,
> foo.htm?p1=1&p2=blah or foo.htm?p1=1&p2=blahblah). the way i see it,
> a "unique page" is unique when page+params are not equal (ie, current
> uri vs previous uri), not just page.
>
> or maybe this topic has already been discussed, and i missed it in my
> searches. if so, forgive me as i am new to this list.
>
> -- norm
>
>
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20111019/36fa7f28/attachment.html
More information about the Owasp-csrfguard
mailing list