Hi, I don't see how realm-based-authentication can prevent CSRF attacks. It doesn't matter how the authentication token is generated, as long as it is stored in the cookies, the browser will send it automatically also for malicious requests. It could only work if you set a very short expiration time and make users authenticate themselves each time they want to edit a page, which is quite inconvenient for a Wiki.
So, just in case it wasn't clear, the secret token is *not* stored in the cookies. It is stored on the server side in the session object and is included into the HTML. Alex On 03/08/2010 11:00 PM, Niels Mayer wrote: > Instead of having all these secret tokens and modifying all over the > place, what about using something like realm-based-authentication > (implemented in cookies); the presence of one of these crypto-cookies > performs the same role as your nonce-token parameter. However, by having > the verificartion of these cookies integrated in with the overall > login/access control mechanism of Xwiki, you can achieve the same thing, > without as many modifications and incompatibilities (IMHO). > > The use of realms allows for different levels of security and access for > different components... e.g. one > might have public, private, and admin realms and different cookies would > be generated containing this > realm information (ie. what spaces can be accessed from any requests > associated w/ that cookie). The cookies are signed and timestamped and > therefore tamper-proof... You can generate these cookie-tokens as often > as you like, and they contain a signed timestamp that can allow you to > set quick expiry - on the order of one minute, or a few tens of seconds... > > See http://www.frogdot.org/mod_auth_mda/mechanicg.html > http://www.frogdot.org/mod_auth_mda/mechanics.html > http://www.frogdot.org/mod_auth_mda/download.html > > Niels > http://nielsmayer.com > > On Sun, Mar 7, 2010 at 11:46 AM, Alex Busenius <[email protected] > <mailto:[email protected]>> wrote: > > Hi, > > I would like to add support for secret token verification to prevent > CSRF attacks (see http://jira.xwiki.org/jira/browse/XWIKI-4873). > > The main idea is to add a random token as a parameter to each request > that requires edit/comment/admin rights and check that this token is > present on the server side. Since there are many ways one can modify > documents, it would require many changes all over the place, in > particular: > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
