couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Florian Weimer>
Subject Re: Futon cannot use the RESTful HTTP API
Date Fri, 19 Feb 2010 11:43:23 GMT
* Paul Davis:

> Do you have any examples of how other sites have protected against
> this? Unless I'm missing something I don't see how this is specific to
> Futon so surely someone else has some explicit documentation on how to
> avoid such things.

The standard countermeasure puts session identifiers into URLs
(sometimes they are called "form tokens", but this doesn't fit the
context here).

Upon login, the client could specify if it wants a session with or
without form tokens.

View raw message