mailing list archives
Re: Cookie Security
From: Orlin Gueorguiev <orlin () baturov com>
Date: Wed, 30 Apr 2008 07:57:08 +0200
Every respone generate a new token, which must be returned back to server on
next request. Place this token into cookies, hidden fields, url,
whatever, but server must get it back on next request. If next request
comes without correct token, then over the session. This method also
will help you avoid CSRF vulnerabilities.
According to wiki:
CSRF merely transmits unauthorized commands from a user the website trusts.
For example, one user, Bob, might be browsing a chat forum where another user,
Mallory, has posted a message. Suppose that Mallory has crafted an HTML image
element that references a script on Bob's bank's website (rather than an
image file), e.g.,
If Bob's bank keeps his authentication information in a cookie, and if the
cookie hasn't expired, then Bob's browser's attempt to load the image will
submit the withdrawal form with his cookie, thus authorizing a transaction
without Bob's approval.
So... what I am asking myself how your consept can secure, that CSRF is not
going to be exploited?
I know SSL is the "real" solution, but I wondered if anyone has attempted
to secure this common system at an application level. perhaps not. if so
Actually not... SSL is used to secure a virtual private connection between 2
instances. If I secure a connection to a site I can still exploit it via XSS.