Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)
Matt Palmer
mpalmer at hezmatt.org
Thu Jan 17 22:38:53 UTC 2013
[Cookies on stat.ripe.net]
On Wed, Jan 16, 2013 at 11:36:25AM -0800, Shrdlu wrote:
> The cookie stays around for a YEAR (if I let it), and has the
> following stuff:
>
> Name: stat-csrftoken
> Content: 7f12a95b8e274ab940287407a14fc348
[...]
> To your credit, you only ask once, but you ought to ask zero times.
CSRF protection is one of the few valid uses of a cookie. It shouldn't need
to be set on every page, though, and it should be cleared immediately after
the form submission. It's typically a lot easier in the site code just to
set it once and be done with it.
By the way, if anyone *does* know of a good and reliable way to prevent CSRF
without the need for any cookies or persistent server-side session state,
I'd love to know how. Ten minutes with Google hasn't provided any useful
information.
- Matt
More information about the NANOG
mailing list