Many thanks for the reply. This is perfect and I can get back to the
pen-testers now that I fully understand the issue.
Regards,
Gruff
On Thursday, 23 August 2012 02:04:56 UTC+1, Paul McMillan wrote:
>
> Hi Gruffudd,
>
> If the cookie were set to expire at browser close, it would cause CSRF
Hi Gruffudd,
If the cookie were set to expire at browser close, it would cause CSRF
errors for users who closed a browser (or bookmarked a page with a
form on it) and then loaded that page from a browser cache and
submitted the form. I'm ambivalent about whether this use case is
worth supporting
The results of a recent penetration test brought up the issue of the use of
persistent cookies, specifically the CSRF cookie which has an expiry date one
year in the future.
The rationale given was that since the cookie is stored on the hard drive then
it is theoretically possible to get hold