Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)

. oscar.vives at gmail.com
Fri Jan 18 08:41:41 UTC 2013


On 17 January 2013 23:38, Matt Palmer <mpalmer at hezmatt.org> wrote:
..
> By the way, if anyone *does* know of a good and reliable way to prevent CSRF
> without the need for any cookies or persistent server-side session state,
> I'd love to know how.  Ten minutes with Google hasn't provided any useful
> information.

I think many people create <forms> with a secret code that is
different and hopefully can't be predicted by the attackers.

<form method="post">
<input type="hidden" name="id_user" value="33">
<input type="hidden" name="action" value="delete_user">
<input type="hidden" name="secret" value="5ebe2294ecd0e0f08eab7690d2a6ee69">
<input type="submit" value="Delete user">
</from>

The easy way to do this is to generate secret from the md5 if time in
miliseconds + a salt string, and store the secret generated
serverside. But if you don't want to store this secret key anywhere in
the server, you can relie in security by obscurity, and generate it by
a predictible algorithm, like  md5( year + "_SALT_" + id_user
+day_of_year).  A attacker can figure out the algorithm, or it can be
leaked, but if your site is small, and don't protect anything
important, it will stop the 100% of the attackers anyway.


--
--
ℱin del ℳensaje.



More information about the NANOG mailing list