lsayre wrote:I knew I should have written it down. Something about an "incorrect form" perhaps. But when I pressed "submit" a second time it went through.
That's not a server error, that's a security feature on purpose. Any page that can accept input information is issued with a unique "token" which is only valid for half an hour, you'll need resubmit the form once the token has expired.
Here's an example from Wikipedia:
Cross-site request forgery
The attack works by including a link or script in a page that accesses a site to which the user is known (or is supposed) to have been authenticated. For example, one user, Bob, might be browsing a chat forum where another user, Fred, has posted a message. Suppose that Fred has crafted an HTML image element that references an action on Bob's bank's website (rather than an image file), e.g.,
If Bob's bank keeps his authentication information in a cookie, and if the cookie hasn't expired, then the attempt by Bob's browser to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without Bob's approval.
A cross-site request forgery is a confused deputy attack against a Web browser. The deputy in the bank example is Bob's Web browser which is confused into misusing Bob's authority at Fred's direction.
I think I might be able to explain this a little better, suppose you're logged in here. You go to a page on another site that has an image in the HTML code, you won't ever see this as an image because it isn't:
- Code: Select all
<img src="http://nepacrossroads.com/posting.php?messgae=the mayor is an idiot">
Like I said you won't see this image because it isn't an image but your browser is still going to try and load this page and post your message "the mayor is an idiot".
The token prevents that from happening because it's like a gazillion to one shot they would guess the right token and they only have half an hour to do it anyway.