- 29.10.03 11:20
-
no lj dokumentācijas:
When web pages using cookie authentication, you can't just trust that the remote user wants to do the action they're requesting. It's way too easy for people to force other people into making GET requests to a server. What if a user requested http://server/delete_all_journal.bml and that URL checked the remote user and immediately deleted the whole journal. Now anybody has to do is embed that address in an image tag and a lot of people's journals will be deleted without them knowing. Cookies should only show pages which make no action. When an action is being made, check that it's a POST request.