Gopisathya

CSRF: A program/blog/email performs an unwanted action on a site where the current user is authenticated. Objectives of CSRF: Transfer money from one bank account to another. Use a content management system to add/delete content from a website. Change a user’s password. Add items to a user’s shopping basket. Change the delivery address of an order. Solution: Include a CSRF token in every form submission Example: A user has logged into his bank site. He didnt log out and he clicked some link from another hack site. Because his session is still valid with bank site. the link he clicked in the hack site which mitigated a bank form did a HTTP post to bank site. The fund was transfered. http://haacked.com/archive/2009/04/02/anatomy-of-csrf-attack.aspx/ Example for creating your own CSRF token and validating it in Drupal. In the <form> create a hidden token 'token' whose value is $formtoken = md5(drupal_get_hash_salt().$nid.$origin.$build_id.$form_nam...