Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Storing previous URL as session data
Storing previous URL as session data
  • El Forum
    Guest
  •  
#6
04-13-2010, 05:30 AM

[eluser]n0xie[/eluser]
The answer is a bit difficult. There is a security check build in which prevents cross domain POST via Javascript. This used to be part of the whole security against CSRF. But lately it has become much easier to even do cross domain AJAX POST's as shown here and here so basically even though you have to jump through hoops to get it to work, cross domain javascript POST's are possible. The best thing you can do is rely on counter measures. You can read up on the subject here: http://stackoverflow.com/questions/298745/how-do-i-send-a-cross-domain-post-request-via-javascript

Quote:I’m doing checks to make sure the user is logged in and the item being deleted belongs to the logged in user.
These checks mean nothing to CSRF. To your webserver/website it will seem as if the user actually wanted to do the action, the browser will send whatever authentication you have on your site (cookie/sessions) and the damage will be done. For normal users, the damage may be as simple as just logging out, but if an administrator were to 'fall' for the exploit, it could mean he deletes every user in the database.


Messages In This Thread
Storing previous URL as session data - by El Forum - 04-13-2010, 01:36 AM
Storing previous URL as session data - by El Forum - 04-13-2010, 01:50 AM
Storing previous URL as session data - by El Forum - 04-13-2010, 02:33 AM
Storing previous URL as session data - by El Forum - 04-13-2010, 02:39 AM
Storing previous URL as session data - by El Forum - 04-13-2010, 03:51 AM
Storing previous URL as session data - by El Forum - 04-13-2010, 05:30 AM
Storing previous URL as session data - by El Forum - 04-13-2010, 02:18 PM
Storing previous URL as session data - by El Forum - 04-13-2010, 02:35 PM
Storing previous URL as session data - by El Forum - 04-13-2010, 03:17 PM
Storing previous URL as session data - by El Forum - 04-13-2010, 08:50 PM
Storing previous URL as session data - by El Forum - 04-13-2010, 11:12 PM
Storing previous URL as session data - by El Forum - 04-14-2010, 03:19 AM
Storing previous URL as session data - by El Forum - 04-14-2010, 08:31 AM
Storing previous URL as session data - by El Forum - 04-14-2010, 08:59 AM
Storing previous URL as session data - by El Forum - 04-14-2010, 09:12 AM
Storing previous URL as session data - by El Forum - 04-14-2010, 09:38 AM
Storing previous URL as session data - by El Forum - 04-14-2010, 09:53 AM



Theme © iAndrew 2016 - Forum software by © MyBB