[Owasp-csrfguard] question about per-page prevention tokens
pradtke at stanford.edu
Wed Oct 19 18:33:59 EDT 2011
It is based on URI. The URI is the same regardless of query parameters.
On 10/17/11 10:07 AM, uh nonuhmes wrote:
> i could be wrong, but it is my understanding that a unique per page
> token will only be generated based on the page name (eg, foo.htm,
> bar.jsp, yada.aspx, etc) but not on the page+params (eg,
> foo.htm?p1=1&p2=blah or foo.htm?p1=1&p2=blahblah). the way i see it,
> a "unique page" is unique when page+params are not equal (ie, current
> uri vs previous uri), not just page.
> or maybe this topic has already been discussed, and i missed it in my
> searches. if so, forgive me as i am new to this list.
> -- norm
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-csrfguard