mailing list archives
Re: Cookie Security
From: Audrius <organzarama () gmail com>
Date: Wed, 30 Apr 2008 18:24:19 +0300
2008/4/30 Orlin Gueorguiev <orlin () baturov com>:
If Bob's bank keeps his authentication information in a cookie, and if the
cookie hasn't expired, then Bob's browser's attempt to load the image will
submit the withdrawal form with his cookie, thus authorizing a transaction
without Bob's approval.
So... what I am asking myself how your consept can secure, that CSRF is not
going to be exploited?
You already have answered your question using your "if's". Token can't
be in the cookies, because they are returned back on every request.
But if token will be used for example in an URL, then your method will
not work. But again, this technique will not work, if site will be
vulnerable to XSS. Most of security methods against CSRF doesn't work,
if site has XSS vulnerability. Then much better way is to use
something like captcha. Just ask user to do something before doing
important actions. But again, captcha can't be to complicated, because
you will have another problem. Usability of the website. :) Better
security always means less usability and to find the middle is quite