Re: Cross-Site Request Forgeries

["Gregory Rubin" <grrubin () gmail com>]

For that matter there are two different types of nonce that can be used:
* "Unique" Nonces: These are different for every form that you want to
protect (even for the same session).  Sometimes they are even
different for different times that the same user/session visits the
same form.
* "Session" Nonces:  Your session cookies/ids should be
cryptographically strong anyway (and expire) so you can simply use
your session Id as the nonce in all of your forms for the session and
just compare it against the cookie value.

I recommend that people use session nonces because they are far easier
to implement and require fewer modifications to the code.  The problem
with them is that it is easier to accidentally leak the session Id (or
for users to do that by posting a URL containing the Id). If you are
leaking session Ids, that needs to be fixed anyways.  If the user
leaks it, then a single user is vulnerable to CSRF (and the attacker
would need to target them) so the risk is still very small.

It's the type of thing that should be determined on a case by case
basis, but the session nonces are usually better.

Greg

On Mon, Jul 28, 2008 at 5:21 AM, Dave Hull <dphull () trustedsignal com> wrote:
> On Fri, Jul 25, 2008 at 12:46 PM, Ricardo Tiago <rtiago () gmail com> wrote:
> > What methods exist to protect against Cross-Site Request Forgeries?
> > And what is the most efficient one?
>
> Standard protection against CSRF is to include a cryptographically
> strong nonce as a hidden form field value. This value is recorded
> server side such that when the POST comes back to the server from the
> client, the nonce that comes back is compared against what was
> recorded server side, if they match, then you know that the POST is
> really being submitted by someone who requested the page from your
> server.
>
> Your nonces should be set to expire.
>
> --
> Dave Hull