Re: Cookie Security

[Audrius <organzarama () gmail com>]

2008/4/30 Orlin Gueorguiev <orlin () baturov com>:

>  <img
>  src="http://bank.example/withdraw?account=bob&amount=1000000&for=mallory";>
>
>  If Bob's bank keeps his authentication information in a cookie, and if the
>  cookie hasn't expired, then Bob's browser's attempt to load the image will
>  submit the withdrawal form with his cookie, thus authorizing a transaction
>  without Bob's approval.
>  =====
>  So... what I am asking myself how your consept can secure, that CSRF is not
>  going to be exploited?

You already have answered your question using your "if's". Token can't
be in the cookies, because they are returned back on every request.
But if token will be used for example in an URL, then your method will
not work. But again, this technique will not work, if site will be
vulnerable to XSS. Most of security methods against CSRF doesn't work,
if site has XSS vulnerability. Then much better way is to use
something like captcha. Just ask user to do something before doing
important actions. But again, captcha can't be to complicated, because
you will have another problem. Usability of the website. :) Better
security always means less usability and to find the middle is quite
hard.