This would provide protection against a typical CSRF attack - since the attacker cannot read/write to the user's cookies for your domain, he would be unable to supply two arbitrary matching strings nor match the string in an existing cookie.
However, if combined with an XSS attack (where malicious code is running in the user's browser on your domain), it would be trivial to defeat your protective measures by simply writing an arbitrary string to the cookie, and then supplying the same string with the query. On Aug 6, 5:25 pm, Arthur Kalmenson <[email protected]> wrote: > Normally you get a session ID from the server and store that in a > cookie and use the session id to make sure the user is actually logged > in. > > -- > Arthur Kalmenson > > > > On Tue, Aug 4, 2009 at 9:16 AM, jahboite<[email protected]> wrote: > > > Hello GWTers! > > > Having read the XSRF and GWT section of the page at > >http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gw... > > I'm trying to implement the suggested protection which involves > > sending an extra 'cookie value' param in GWT calls and then comparing > > that value with the value of the cookie header. > > > My question involves the generation of the cookie value and whether it > > is safe to do this on the client. As long as it doesn't impact client > > performance, it seems to me that generating a random token, setting > > the cookie with that token and sending the same token as a param in > > RPC calls would be a neat way to offload CPU cycles to the client. > > The server would then only need to compare the cookie header with the > > token received in each RPC call and drop the call if the values don't > > match (on the assumption that the call hasn't been made by the logged- > > in client). > > > Is that safe? Is there a way for a forged request to include a > > cookie? If the server merely compares two arbitrary strings, wouldn't > > it be easy for a forger to bypass the restrictions relied upon for > > this type of protection? > > > Any insights gratefully received. > > > Cheers. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
