nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)

From: " ." <oscar.vives () gmail com>
Date: Mon, 21 Jan 2013 09:26:40 +0100
On 21 January 2013 07:19, Matt Palmer <mpalmer () hezmatt org> wrote:
...

If the form is submitted without the correct POST value,  if their IP
address changed,  or after too many seconds since the timestamp,
then redisplay the form to the user,  with a request for them to
visually inspect and confirm the submission.


Which is decidedly more user-friendly than most people implement, but
suffers from the problem that some subset of your userbase is going to be
using a connection that doesn't have a stable IP address, and it won't take
too many random "please re-confirm the form submission you made" requests
before the user gives your site the finger and goes to find something better
to do.



You want to stop the CSRF problem, but you want to support a user
making the login in a IP, and submiting a "delete account" button *the
next second* from a different IP. then you want this solution to be
better cost effective than cookies.

Maybe ask the user his password.

 <form method="post">
 <input type="hidden" name="id_user" value="33">
 <input type="hidden" name="action" value="delete_user">
 <input type="submit" value="Delete user">
 <p>For this action you must provide the password. </p>
 <input type="password" name="password" value="">
 </from>

Even if this request come from a IP in china, you can allow it.

--
--
ℱin del ℳensaje.
Previous By Date Next
Previous By Thread Next

Current thread: