On Wed, Sep 24, 2008 at 10:09 PM, Steven Wittens <steven@acko.net> wrote:
Also, you shouldn't be taking any action just from a GET request, or you're
opening yourself to CSRF (Cross site request forgery). To avoid this, you need a confirm form that uses POST to actually trigger the action.
This isn't really about GET vs POST, but rather about using session-derived tokens (which you get for free with Form API). To avoid the annoyance of a confirm form, you can add and verify tokens manually with drupal_get_token() and drupal_valid_token(). Which you should be doing for ajax callbacks anyway, regardless of whether they are POST or GET.
Steven
This is why you should use sessionsbased tokens, http://www.codinghorror.com/blog/archives/001171.html Regards, Johan Forngren :: http://johan.forngren.com/