On Apr 4, 8:56 am, pansen <[email protected]> wrote: > Hi, > > Now we prevent anybody to steal our sessions, but we are also unable > to use > the sessionid as CSRF protection. Therefore its necessary to use a > different > token for this kind of protection. We call it ``X-Request-Token``, > which is > returned from the server besides the ``Set-Cookie`` header.
Perhaps I'm missing something, but isn't this just security through obscurity. You've raised the bar to some extent, but presumably you're storing that security token in some sort of client variable, can't the injected code then just access that same variable too once the attacker figures out where to look for it? -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
