Security Basics mailing list archives
Re: Cross-Site Request Forgeries
From: "Gregory Rubin" <grrubin () gmail com>
Date: Mon, 28 Jul 2008 10:02:47 -0700
For that matter there are two different types of nonce that can be used: * "Unique" Nonces: These are different for every form that you want to protect (even for the same session). Sometimes they are even different for different times that the same user/session visits the same form. * "Session" Nonces: Your session cookies/ids should be cryptographically strong anyway (and expire) so you can simply use your session Id as the nonce in all of your forms for the session and just compare it against the cookie value. I recommend that people use session nonces because they are far easier to implement and require fewer modifications to the code. The problem with them is that it is easier to accidentally leak the session Id (or for users to do that by posting a URL containing the Id). If you are leaking session Ids, that needs to be fixed anyways. If the user leaks it, then a single user is vulnerable to CSRF (and the attacker would need to target them) so the risk is still very small. It's the type of thing that should be determined on a case by case basis, but the session nonces are usually better. Greg On Mon, Jul 28, 2008 at 5:21 AM, Dave Hull <dphull () trustedsignal com> wrote:
On Fri, Jul 25, 2008 at 12:46 PM, Ricardo Tiago <rtiago () gmail com> wrote:What methods exist to protect against Cross-Site Request Forgeries? And what is the most efficient one?Standard protection against CSRF is to include a cryptographically strong nonce as a hidden form field value. This value is recorded server side such that when the POST comes back to the server from the client, the nonce that comes back is compared against what was recorded server side, if they match, then you know that the POST is really being submitted by someone who requested the page from your server. Your nonces should be set to expire. -- Dave Hull
Current thread:
- Cross-Site Request Forgeries Ricardo Tiago (Jul 27)
- Re: Cross-Site Request Forgeries Emilio Casbas (Jul 28)
- RE: Cross-Site Request Forgeries Sergio Castro (Jul 28)
- Re: Cross-Site Request Forgeries Dave Hull (Jul 28)
- Re: Cross-Site Request Forgeries Gregory Rubin (Jul 28)