Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)

Matt Palmer mpalmer at hezmatt.org
Thu Jan 17 22:38:53 UTC 2013


[Cookies on stat.ripe.net]

On Wed, Jan 16, 2013 at 11:36:25AM -0800, Shrdlu wrote:
> The cookie stays around for a YEAR (if I let it), and has the
> following stuff:
> 
> Name: stat-csrftoken
> Content: 7f12a95b8e274ab940287407a14fc348

[...]

> To your credit, you only ask once, but you ought to ask zero times.

CSRF protection is one of the few valid uses of a cookie.  It shouldn't need
to be set on every page, though, and it should be cleared immediately after
the form submission.  It's typically a lot easier in the site code just to
set it once and be done with it.

By the way, if anyone *does* know of a good and reliable way to prevent CSRF
without the need for any cookies or persistent server-side session state,
I'd love to know how.  Ten minutes with Google hasn't provided any useful
information.

- Matt




More information about the NANOG mailing list