nanog mailing list archives
Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)
From: " ." <oscar.vives () gmail com>
Date: Mon, 21 Jan 2013 09:26:40 +0100
On 21 January 2013 07:19, Matt Palmer <mpalmer () hezmatt org> wrote: ...
If the form is submitted without the correct POST value, if their IP address changed, or after too many seconds since the timestamp, then redisplay the form to the user, with a request for them to visually inspect and confirm the submission.Which is decidedly more user-friendly than most people implement, but suffers from the problem that some subset of your userbase is going to be using a connection that doesn't have a stable IP address, and it won't take too many random "please re-confirm the form submission you made" requests before the user gives your site the finger and goes to find something better to do.
You want to stop the CSRF problem, but you want to support a user making the login in a IP, and submiting a "delete account" button *the next second* from a different IP. then you want this solution to be better cost effective than cookies. Maybe ask the user his password. <form method="post"> <input type="hidden" name="id_user" value="33"> <input type="hidden" name="action" value="delete_user"> <input type="submit" value="Delete user"> <p>For this action you must provide the password. </p> <input type="password" name="password" value=""> </from> Even if this request come from a IP in china, you can allow it. -- -- ℱin del ℳensaje.
Current thread:
- Re: Suggestions for the future on your web site: (was cookies, and, (continued)
- Re: Suggestions for the future on your web site: (was cookies, and Michael Thomas (Jan 26)
- Re: Suggestions for the future on your web site: (was cookies, and Jimmy Hess (Jan 26)
- Re: Suggestions for the future on your web site: (was cookies, and Jean-Francois Mezei (Jan 30)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) George Herbert (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Jean-Francois Mezei (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Andrew Sullivan (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and Joe Greco (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and . (Jan 25)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Scott Howard (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Jimmy Hess (Jan 24)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) . (Jan 21)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) . (Jan 21)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Jean-Francois Mezei (Jan 21)
- Re: Security reporting response handling [was: Suggestions for the future on your web site] Matt Palmer (Jan 22)
- Re: Security reporting response handling [was: Suggestions for the future on your web site] Suresh Ramasubramanian (Jan 22)
- Re: Security reporting response handling [was: Suggestions for the future on your web site] Alain Hebert (Jan 22)
- Re: Security reporting response handling [was: Suggestions for the future on your web site] Jimmy Hess (Jan 23)
- Re: Security reporting response handling [was: Suggestions for the future on your web site] . (Jan 23)