Hi i just want to know if i need to have a csrf protection for this case and if yes how please :
i'm using a drag and drop interface in my website for user management, for example if a user wants to delete a user from his friends list he just drops it in trashbin and that's how the request is generated using the id of the user (from session) and the id of the friend he wants to remove, so the only param passed in the request is only开发者_如何转开发 the id of the friend because the other id is stocked in session!
is it clear ?
so is that secure or shall i use some kind of csrf protection ?
thx in advance!
Yes, because an attacker could craft a page that calls the same request with one or many friend ids, thus causing an unsuspecting user visiting his page, to delete some/all his friends.
Any request that causes a change on the server, should have CSRF-protection
精彩评论