From: John Reese <jreese@le...> - 2009-04-05 18:15:28
There should be a call to forms api in the page generating the form, and two calls in the page processing the form. The calls to _field() or _param() generate a token and store that token in the user's php session associated with the form name. The _validate() call makes sure that the token sent with the form matches one stored in the session, and _purge() drops the used token from the session so that it can't be reused and to prevent double-submissions.
As for account_delete, if the form apis haven't been used, then the form is susceptible to CSRF attack, and the calls should be added to secure that form.
Paul Richards <paul@...> wrote:
>How do the security tokens work now - or more
>whats the status of things like accoount_delete where the helper_ensure_post stuff has been removed and there's no security token stuff added? or is it behind the scenes now... ?
Sent from my Android phone.