Definition: http://en.wikipedia.org/wiki/Cross-site_request_forgery
Example:
<img src=”http://csrf.com/logout?confirm=true”>
<body onload=”$(‘form’).submit()”>
<form action=”http://csrf.com/” method=”post”>
<input name=”confirm” value=”true” />
</form>
</body>
Protection:
– Check the referrer
– Insert a token to the form, store the token and token_time in session
– Insert the cookies to the form via js (remote XmlHttpRequest calls cannot read cookies)