04-13-2010, 11:12 PM
[eluser]crikey[/eluser]
I think the point, Jondolar, (is your username from the Jean M. Auel books?) really is that the (legitimate) user should only delete if: 1) they're logged in, 2) they have permission to delete the item *and* 3) they're knowingly deleting the item using the application/website.
CSRF attacks can occur if 1 and 2 are true but not necessarily 3.
From what I've been reading, using tokens in forms that uniquely relate to the user's session, and checking the existence/matching of the tokens, is a way to help secure a site against CSRF.
Edited for grammar.
I think the point, Jondolar, (is your username from the Jean M. Auel books?) really is that the (legitimate) user should only delete if: 1) they're logged in, 2) they have permission to delete the item *and* 3) they're knowingly deleting the item using the application/website.
CSRF attacks can occur if 1 and 2 are true but not necessarily 3.
From what I've been reading, using tokens in forms that uniquely relate to the user's session, and checking the existence/matching of the tokens, is a way to help secure a site against CSRF.
Edited for grammar.