On Mar 26, 2009, at 6:14 AM, Malthe Borch wrote:

2009/3/26 Wichert Akkerman <wich...@wiggy.net>:
Is that safe? Isn't there a risk of that csrf cookies persisting longer
than the auth session?


The assumption with the CSRF vulnerability is that there *is* a cookie
that authenticates the user. If it had expired, this wouldn't be the
case.

I thought it was less about authenticating the user; more about verifying that the requestor POSTing a form was the same requestor that requested a form.

Something like:

secret_form_id = uuid4()

inject something like the following into a form being rendered:
<input type="hidden" name="FORM_ID" value="${secret_form_id}">

And in the same request se a cookie with:

name=FORM_ID value=${secret_form_id}

Then upon POST submission verify:

assert request.form.secret_form_id == request.cookie.FORM_ID

or something...

I know this doesn't cover all cases (xmlhttprequest) but AFAIU it is a solid way to protect POSTs from CSRF without requiring a shared secret.

~ro

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev

Reply via email to