Welcome Guest, Not a member yet? Register   Sign In
Storing previous URL as session data
#12

[eluser]n0xie[/eluser]
[quote author="Jondolar" date="1271231452"]
The key is to validate that the user is logged in AND has authority to delete the requested record. If the user does not own the record, don't let them delete it.[/quote]
You are missing the point.

1. If I as a user can delete any record simply by changing a number in the URL, you have much bigger problems than CSRF
2. If you had a 'userlevel' higher than the user in question, you'd still be able to delete it. In a role based system, this is quite common. For day to day websites, usually the site administrator has FULL access to everything and the only check that is done is:
Code:
$this->auth->is_admin()
3. There is nothing preventing me redirecting you to a page where I have 100.000 different id's for you to delete. If you hit that page, you will delete all the rows you have access to:
Code:
<img src='yoursite.tld/somepage/delete/1' />
<img src='yoursite.tld/somepage/delete/2' />
<img src='yoursite.tld/somepage/delete/3' />
// etc...

Quote:There’s nothing wrong with doing destructive actions using get,
Yes there is. It's in direct conflict with the HTTP spec. A GET request should only be used for idempotent requests (i.e. when requesting a resource which does not change state). The prime example being when Google implemented prefetch caching (i.e. they loaded all the links on a page in the background so you would have an instantaneous loaded page when you clicked on a link). Guess what happened when this was used on url's like 'yoursite.tld/somepage/delete/{id}.

Quote:- Save the code to a cookie AND put it in either a post variable or in the URL which deletes the entry (example: mysite.com/thing/delete/25/1f3870be274f6c49b3e31a0c6728957f)
POST, yes, URL, no. Putting an arbitrary hash in the URL is just another way of saying; please brute force me.

Quote:From what I’ve been reading, using tokens in forms that uniquely relate to the user’s session, and checking the existence/matching of the tokens, is a way to help secure a site against CSRF.
Bingo.


Messages In This Thread
Storing previous URL as session data - by El Forum - 04-13-2010, 01:36 AM
Storing previous URL as session data - by El Forum - 04-13-2010, 01:50 AM
Storing previous URL as session data - by El Forum - 04-13-2010, 02:33 AM
Storing previous URL as session data - by El Forum - 04-13-2010, 02:39 AM
Storing previous URL as session data - by El Forum - 04-13-2010, 03:51 AM
Storing previous URL as session data - by El Forum - 04-13-2010, 05:30 AM
Storing previous URL as session data - by El Forum - 04-13-2010, 02:18 PM
Storing previous URL as session data - by El Forum - 04-13-2010, 02:35 PM
Storing previous URL as session data - by El Forum - 04-13-2010, 03:17 PM
Storing previous URL as session data - by El Forum - 04-13-2010, 08:50 PM
Storing previous URL as session data - by El Forum - 04-13-2010, 11:12 PM
Storing previous URL as session data - by El Forum - 04-14-2010, 03:19 AM
Storing previous URL as session data - by El Forum - 04-14-2010, 08:31 AM
Storing previous URL as session data - by El Forum - 04-14-2010, 08:59 AM
Storing previous URL as session data - by El Forum - 04-14-2010, 09:12 AM
Storing previous URL as session data - by El Forum - 04-14-2010, 09:38 AM
Storing previous URL as session data - by El Forum - 04-14-2010, 09:53 AM



Theme © iAndrew 2016 - Forum software by © MyBB