Cross Site Request Forgery (CSRF/XSRF) questions and answers

cgisecurity.net - Cross Site Request Forgery (CSRF/XSRF) questions and answers:

"What can I do to protect my own applications?

Setting a short time peroid for user sessions is essential. Sites requiring the user to be logged in before performing an action can set the users session to a short session period (say 5 minutes) to reduce the odds of a sucessfull CSRF attack. In conjunction with this prompt the user with a login page or strong CAPTCHA each time an important site action is performed.

[...] A popular suggestion to preventing CSRF involves appending session tokens to each request. This method is documented in multiple documents however as pointed out in mailing list postings an attacker can utilize an existing browser vulnerability or XSS flaw to grab this session token. Assuming that your browser is patched and free from all vulnerabilities including through plugin's such as Flash/Acrobat all the time (keep dreaming), and that your website is free from all types of XSS, then the token method may be considered a suitable solution."

Tue, 17 Jul 2007 09:35:57 +0000

WWW SQL Designer

Ondřej Žára - WWW SQL Designer: "Online tool for designing relational database schemas. Works fine in all three major browsers (Gecko, MSIE, Opera) and features schema saving, exporting to xml and sql script creation." Take a look at the demo.

(Found via Ryan Eby.)

Mon, 16 Jul 2007 06:12:10 +0000

Release 1.0

O'Reilly Radar - Release 1.0:

"Esther Dyson edited Release 1.0 from 1983 to November 2006, when O'Reilly acquired the newsletter and updated it to Release 2.0. It is our great pleasure to offer, free of charge, electronic versions of all back issues of Release 1.0. Each issue offers insights into a topic just before it went mainstream."

Sat, 14 Jul 2007 22:19:29 +0000

Fun with PDFs on Mac OS X

The built-in PDF support in OS X is simply great. I just found two additional helpers:

  • creating PDFs from office documents via OpenOffice, on the command line - Batch Converting Legacy Documents at XML.com (copy & paste their Basic macro, write ""/Applications/OpenOffice.org 2.1.app//Contents/MacOS/program/soffice" -invisible 'macro:///Standard.Module1.SaveAsPDF("/Users/tim/Desktop/test.ppt")'" into a shell script and run it with "open-x11 test.sh")
  • combining PDFs from the command line - Combine PDFs without using Automator at macosxhints.com ("python '/System/Library/Automator/Combine PDF Pages.action/Contents/Resources/join.py' -o '/Users/tim/Desktop/output.pdf' '/Users/tim/Desktop/hello world.pdf' '/Users/tim/Desktop/hello world 2.pdf'")
Fri, 13 Jul 2007 22:41:16 +0000

Alfresco Web Services Revisited

David Caruana - Alfresco Web Services Revisited:

"ECM should rethink the way it provides Web Services. Imagine being able to expose your enterprise content resources (folders, documents, searches, categories, versions, discussions, workflows etc) to your network with the minimum of effort; distributed resources that can be retrieved, managed, mashed by any part of your enterprise software suite."

Fri, 13 Jul 2007 07:21:08 +0000

Which theory fits the evidence?

Reginald Braithwaite - Which theory fits the evidence?:

"Theory P [= probabilistic] adherents believe that the normal case for software projects is that tasks are rarely completed exactly as estimated, but that as a project progresses, the aggregate variance from estimates falls.

Theory D [= fully deterministic] adherents believe that the most important element of successful software development is planning. If a plan is properly constructed for the design and development of a software project, the actual implementation is virtually guaranteed."

Thu, 12 Jul 2007 07:28:02 +0000


Fri, 06 Jul 2007 09:38:40 +0000

A reminder about the power of email

Matt Linderman of 37signals - A reminder about the power of email:

"It was a reminder of how much power there is in email. We forget that the RSS-centric world we live in isn’t the one many (and probably most) of our customers live in. They don’t have the time or energy to keep up with the constant stream of info at our blogs. That’s why the old-fashioned occasional email update — which gives people the juiciest bits and leaves out the rest — still has so much power."

Thu, 05 Jul 2007 21:13:43 +0000

Optimizing Web Applications and Content for iPhone

Apple Developer Connection - Optimizing Web Applications and Content for iPhone:

"The following guidelines will help you prepare web content and design a website or web-based application for iPhone. If you are a seasoned web developer, there are probably just a few refinements you can make to ensure that your site looks great and works best on iPhone."

Thu, 05 Jul 2007 12:28:48 +0000

The big content system integration II

Michael Edson at the Really Strategies Blog - The big content system integration II:

"It has a central repository built of two fundamental parts - XML and binary content (images, etc.). Work done in page layout tools/editorial tools/workflow tools is transitory (though might be archived). The purpose of the repository would be to accurately manage 'content' of published products and to also provide a starting point for initial manuscript creation for the next stage in the cycle."

Wed, 04 Jul 2007 07:44:36 +0000

Topic Map Patterns for Thesaurii

Techquila - Thesaurii:

"There are two possible patterns for the representation of a thesaurus in a topic map [...]:

  • Thesaurus Pattern 1: The Topic-Per-Term Pattern
  • Thesaurus Pattern 2: The Topic-Per-Concept Pattern"
Wed, 04 Jul 2007 07:38:47 +0000