nanog mailing list archives
Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)
From: " ." <oscar.vives () gmail com>
Date: Fri, 18 Jan 2013 09:41:41 +0100
On 17 January 2013 23:38, Matt Palmer <mpalmer () hezmatt org> wrote: ..
By the way, if anyone *does* know of a good and reliable way to prevent CSRF without the need for any cookies or persistent server-side session state, I'd love to know how. Ten minutes with Google hasn't provided any useful information.
I think many people create <forms> with a secret code that is different and hopefully can't be predicted by the attackers. <form method="post"> <input type="hidden" name="id_user" value="33"> <input type="hidden" name="action" value="delete_user"> <input type="hidden" name="secret" value="5ebe2294ecd0e0f08eab7690d2a6ee69"> <input type="submit" value="Delete user"> </from> The easy way to do this is to generate secret from the md5 if time in miliseconds + a salt string, and store the secret generated serverside. But if you don't want to store this secret key anywhere in the server, you can relie in security by obscurity, and generate it by a predictible algorithm, like md5( year + "_SALT_" + id_user +day_of_year). A attacker can figure out the algorithm, or it can be leaked, but if your site is small, and don't protect anything important, it will stop the 100% of the attackers anyway. -- -- ℱin del ℳensaje.
Current thread:
- Re: ripe/ncc likes cookies, (continued)
- Re: ripe/ncc likes cookies Andrew Latham (Jan 12)
- Re: ripe/ncc likes cookies Randy Bush (Jan 12)
- Re: ripe/ncc likes cookies Grant Ridder (Jan 12)
- Re: ripe/ncc likes cookies Randy Bush (Jan 12)
- RE: ripe/ncc likes cookies Keith Medcalf (Jan 12)
- Re: ripe/ncc likes cookies Owen DeLong (Jan 14)
- Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Shrdlu (Jan 16)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) john (Jan 17)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Matt Palmer (Jan 17)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) . (Jan 18)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Matt Palmer (Jan 19)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) George Herbert (Jan 19)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Matt Palmer (Jan 20)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) George Herbert (Jan 20)