Re: [Cppcms-users] Suggestion: warn if csrf enabled but missing
Brought to you by:
artyom-beilis
Menu
▾
▴
Re: [Cppcms-users] Suggestion: warn if csrf enabled but missing
|
From: Artyom B. <art...@ya...> - 2012-04-27 06:16:00
|
----- Original Message -----
> From: "ele...@ex..." <ele...@ex...>
> Cant you use request().getenv("HTTP_X_CSRFTOKEN"), in combination with
> session_interface::validate_csrf_token() for checking presence?
>
validate_csrf_token uses getenv as one of the options.
I don't see the point? How would it help.
>> Also note, if the form update fails you should see a notice
>> about it in logs.
>
> Do you mean the "CSRF Validation Failed" message?
>
The message is written as warning to logs:
cppcms, warning: CSRF validation failed IP=XXX SCRIPT_NAME=/yyy PATH_INFO=/zzz (session_interface.cpp:120)
Make sure that logging.level is set to at least warnings level, by default only errors
are written.
See: http://cppcms.com/wikipp/en/page/cppcms_1x_config#logging.level
Artyom Beilis
--------------
CppCMS - C++ Web Framework: http://cppcms.com/
CppDB - C++ SQL Connectivity: http://cppcms.com/sql/cppdb/
|
