Forum OpenACS Q&A: Response to Cross Site Scripting FAQ (fwd)

Collapse
Posted by Tom Jackson on

Eventually one time codes will be invalidated as long as scripting is available. What is needed is an interaction that can only be performed by the actual user. What this means is per request reauthentication. In order to take significant actions on the web service a user should:

  1. Re-enter their password for the resource.
    and maybe:
  2. Submit the form via https.

So, my suggestion in relation to openacs is to intercept all significant actions and construct a new form entry page containing the hidden variables plus the password entry form.

All this amounts to is a centralized confirmation page, which could be constructed from a filter or from ad_page_contract.

The reason for this approach is that web services are sometimes used by robots which do not use forms generated from the web service. Also, the base reason for this vunlerability is the re-use of authentication information.

The api should be as simple as the developer providing a flag to ad_page_contract, or a filter pattern to a 'confirm' package.