Client side protection against Session Riding also known as {C,X}SRF - Cross Site Request Forgery

The Proxy


RequestRodeo is a HTTP proxy written in Python using the Twisted framework, OpenSSL and SQLite. It protects its user(s) against an relatively unknown attack vector, Session Riding. A short introduction to session riding can be found in the Wikipedia article on Session riding. RequestRodeo is to our best knowledge the only project of its kind.

A paper describing our project (by Martin Johns).

The Mozilla Extension


Implementing Request Rodeo as HTTP proxy has several drawbacks, so the long term goal is to implement the same functionality within the browser.


Development just started, if you are interested in contributing to a young extension, join us!

Limitations and known problems

CVS Snapshots

Hourly build snapshots from the CVS repository are available here .

Getting the source

Request Rodeo is released under the terms of the GNU GPL. You can get the source via anonymous CVS or browse the CVS using your browser.

See for details.


Our project is hosted at, take a look at our project page for more infrastructure.

Justus Winter
Last modified: Mon Jan 22 18:54:24 CET 2007