Steve Piercy - Web Site Builder Re-validating passwords to prevent CSRF
Jul 30, 2010; 15:04
Steve Piercy - Web Site Builder
Re-validating passwords to prevent CSRF
To prevent cross-site forgery requests, I want the user to re-enter their password and compare it against what has previously been stored in the user session after logging in. You typically see things like this on bank sites where you must re-enter your password to change any personal information.
I've been floundering through Knop, trying various things, none of which work. I dug into the Knop user type, but didn't see anything obvious. User information is stored in a users table with username, encrypted password, and a saltfield. However when I try to compare these values, they never match.
and the result from this is exactly the same as using user->encrypt.
Where is my mistake? Or is there an obvious and simple method that I am overlooking? user->login obliterates the session, so I cannot use that.
--steve
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Steve Piercy Web Site Builder Soquel, CA <web@StevePiercy.com> <http://www.StevePiercy.com/>
-- ############################################################# This message is sent to you because you are subscribed to the mailing list <knop@lists.montania.se>. To unsubscribe, E-mail to: <knop-off@lists.montania.se> Send administrative queries to <knop-request@lists.montania.se> List archive http://www.nabble.com/Knop-Framework-Discussion-f29076.html Project homepage http://montania.se/projects/knop/ Google Code has the latest downloads at http://code.google.com/p/knop/
Aug 02
Steve Piercy - Web Site Builder Re-validating passwords to prevent CSRF
Aug 02, 2010; 03:38
Steve Piercy - Web Site Builder
Re-validating passwords to prevent CSRF
Search
Lasso Programming
This site manages and broadcasts several email lists pertaining to Lasso Programming and technologies related and used by Lasso developers. Sign up today!