[Owasp-csrfguard] question about per-page prevention tokens

Patrick Radtke pradtke at stanford.edu
Wed Oct 19 18:33:59 EDT 2011


It is based on URI. The URI is the same regardless of query parameters.

On 10/17/11 10:07 AM, uh nonuhmes wrote:
> hi,
>
> i could be wrong, but it is my understanding that a unique per page 
> token will only be generated based on the page name (eg, foo.htm, 
> bar.jsp, yada.aspx, etc) but not on the page+params (eg, 
> foo.htm?p1=1&p2=blah or foo.htm?p1=1&p2=blahblah).  the way i see it, 
> a "unique page" is unique when page+params are not equal (ie, current 
> uri vs previous uri), not just page.
>
> or maybe this topic has already been discussed, and i missed it in my 
> searches.  if so, forgive me as i am new to this list.
>
> -- norm
>
>
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20111019/36fa7f28/attachment.html 


More information about the Owasp-csrfguard mailing list