[ OWASP - Montréal ]XSFR/CSFR testing difficulty level

Sean Coates sean at caedmon.net
Fri Nov 28 09:25:24 EST 2008

> Even using secret token it's now enough anymore.  You have to do more
> (but still use the token), where you will do page follow-up and
> confirmations pages.

Please explain. ?

There's a certain balance between "secure enough" and "driving my  
users crazy" (-:


More information about the Owasp-montreal mailing list