Supose that the users have private content on their account . Like any social websites , when they browse their account , the users can see alot of things about them . Are all of those requests tokenised? Is it a good ideea to make a pattern and tokenise all requests and check them before they are processed ? Any sugestion ?
Do all apps based on private accounts system tokenise all requests?
P.S. : here is a possible attack : the user logs in a social website ("x"), stays loged in , goes to another website ("y") . Website y has a button that gets the first page content of the x site which includes users latest posts . Since the user is loged in , the data will show ...
How would you set up a csrf token mechanism for each request? Set up a middle process that redirects the request to the final processing page if its a valid request? or ... any other ideeas ? Am i wrong here ? Do i see things wrong?
Here i asked same question and got the right final answer : https://stackoverflow.com/a/10006276/1284817 . The validated answer here is good to read about it too .