subject:"\[Wikitech\-l\] \[RFC\] Giving actual CSRF tokens to not logged in users \(T40417\)"

Re: [Wikitech-l] [RFC] Giving actual CSRF tokens to not logged in users (T40417)

2016-09-30 Thread Brad Jorsch (Anomie)

On Thu, Sep 29, 2016 at 5:10 PM, Max Semenik wrote: > On Thu, Sep 29, 2016 at 1:37 PM, Brad Jorsch (Anomie) < > bjor...@wikimedia.org > > wrote: > > Note it will affect scripts and API clients that expect to see "+\" as > the > > token as a sign that they're logged out, or

Re: [Wikitech-l] [RFC] Giving actual CSRF tokens to not logged in users (T40417)

2016-09-29 Thread Marcin Cieslak

Dnia 29.09.2016 Max Semenik napisał/a: >> Note it will affect scripts and API clients that expect to see "+\" as the >> token as a sign that they're logged out, or worse assume that's the token >> and don't bother to fetch it. > > > We had breaking API/frontend

Re: [Wikitech-l] [RFC] Giving actual CSRF tokens to not logged in users (T40417)

2016-09-29 Thread Daniel Friesen

On 2016-09-29 1:00 PM, Brian Wolff wrote: > Personally, my preferred solution [0] [I might be biased in evaluating > them] would be to base the CSRF token on a session cookie if one > exists. If one does not exist, use a HMAC of the users IP addressed, > keyed using a server side secret (The only

Re: [Wikitech-l] [RFC] Giving actual CSRF tokens to not logged in users (T40417)

2016-09-29 Thread Max Semenik

On Thu, Sep 29, 2016 at 1:37 PM, Brad Jorsch (Anomie) wrote: > On Thu, Sep 29, 2016 at 4:00 PM, Brian Wolff wrote: > > > This way it will work for users without cookies (Maybe none exist, but I > > like the idea you can edit wikipedia without cookies)

Re: [Wikitech-l] [RFC] Giving actual CSRF tokens to not logged in users (T40417)

2016-09-29 Thread Brad Jorsch (Anomie)

On Thu, Sep 29, 2016 at 4:00 PM, Brian Wolff wrote: > This way it will work for users without cookies (Maybe none exist, but I > like the idea you can edit wikipedia without cookies) There have been people who disabled cookies and still wanted to be able to use the sites.

[Wikitech-l] [RFC] Giving actual CSRF tokens to not logged in users (T40417)

2016-09-29 Thread Brian Wolff

Hi everyone: Currently, the CSRF token for anonymous users are very predictable. This potentially allows someone to make CSRF attacks against non-logged in users. I would like to propose we change that. Since this is a sort of major change, I'd appreciate everyone's feedback. There are multiple

Re: [Wikitech-l] [RFC] Giving actual CSRF tokens to not logged in users (T40417)

Re: [Wikitech-l] [RFC] Giving actual CSRF tokens to not logged in users (T40417)

Re: [Wikitech-l] [RFC] Giving actual CSRF tokens to not logged in users (T40417)

Re: [Wikitech-l] [RFC] Giving actual CSRF tokens to not logged in users (T40417)

Re: [Wikitech-l] [RFC] Giving actual CSRF tokens to not logged in users (T40417)

[Wikitech-l] [RFC] Giving actual CSRF tokens to not logged in users (T40417)

6 matches

Site Navigation

Mail list logo

Footer information