Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)

George Herbert george.herbert at gmail.com
Sat Jan 19 23:54:37 UTC 2013





On Jan 18, 2013, at 7:52 PM, Matt Palmer <mpalmer at hezmatt.org> wrote:

> On Fri, Jan 18, 2013 at 09:41:41AM +0100,  . wrote:
>> On 17 January 2013 23:38, Matt Palmer <mpalmer at hezmatt.org> wrote:
>> ..
>>> By the way, if anyone *does* know of a good and reliable way to prevent CSRF
>>> without the need for any cookies or persistent server-side session state,
>>> I'd love to know how.  Ten minutes with Google hasn't provided any useful
>>> information.
>> 
>> I think many people create <forms> with a secret code that is
>> different and hopefully can't be predicted by the attackers.
>> 
>> <form method="post">
>> <input type="hidden" name="id_user" value="33">
>> <input type="hidden" name="action" value="delete_user">
>> <input type="hidden" name="secret" value="5ebe2294ecd0e0f08eab7690d2a6ee69">
>> <input type="submit" value="Delete user">
>> </from>
>> 
>> The easy way to do this is to generate secret from the md5 if time in
>> miliseconds + a salt string, and store the secret generated
>> serverside.
> 
> Storing any state server-side is a really bad idea for scalability and
> reliability.

?

Doing that - into a user state DB of sone sort, either external or in middleware, is routine...


George William Herbert
Sent from my iPhone



More information about the NANOG mailing list