Closed PlanetTheCloud closed 2 years ago
I don't know what is that
I don't think it is necessary because to a session or a cookie is required to make a request to the system if session or cookie is not active in that case the request will not proceed.
But if want to implement it you can do it by yourself.
Suspending accounts can be easely done via the Callback, as theres no auth or IP check.
I don't know what is that
You can google it
I don't think it is necessary because to a session or a cookie is required to make a request to the system if session or cookie is not active in that case the request will not proceed.
But if want to implement it you can do it by yourself.
The session is persisted across tabs. Using the "include cookies" flag.
This issue has been disclosed privately to the author (on Jan 8th) but it's taking too long to be fixed.
The following text is mostly copied and pasted from the email: Although not tested yet and modern browser seems to do a good job at preventing damage by CSRF, by lacking this security measure, users could be impersonated (other sites can send requests on behalf of the user such as to suspend their account, create new accounts, send offensive/inappropriate support request, and more.).
Some may argue that modern browsers can stop most of the attacks but we should not rely on users having the latest and up-to-date browser. We instead must make our app as secure as possible even on old and outdated browsers.