People may have noticed the link being thrown around where, if you click it, you suddenly have a problem where you can't view things and a bunch of comments are sent out as if you sent them.

-------

I believe the attack here is called [cross site] Request Forgery(very similar).

The attacker creates a link that you click on. That link goes to the attacker's page(or something). This page makes requests that are engineered to do something(in this case submit a comment). Normally, that wouldn't work, but since it runs in your browser and since you are logged in, it does work.

Making requests in POST format instead of in GET format does help some, but it is still possible. HTTP referrers help as well, but they can be spoofed.

The best thing to do is to have users avoid clicking the link. That said, its not very likely that that will work, and its bad practice as programmers to make that assumption.

The solution to XSRF attacks is to have more secure session tokens. Set it up so that the session token information is not only stored in a cookie(try hidden form fields). User submissions are only accepted if they have this hidden field. The attacker can't get the hidden field without getting a page from DA itself that has it. They can't get that page without being authenticated already(or at least it won't come down with the token).

So every time they go anywhere or do anything, we have to include that in the authentication.

-----------------

For now though, users.....don't click stupidly XD