On Thu, Sep 29, 2016 at 5:10 PM, Max Semenik wrote:
> On Thu, Sep 29, 2016 at 1:37 PM, Brad Jorsch (Anomie) <
> bjor...@wikimedia.org
> > wrote:
> > Note it will affect scripts and API clients that expect to see "+\" as
> the
> > token as a sign that they're logged out, or
Dnia 29.09.2016 Max Semenik napisaĆ/a:
>> Note it will affect scripts and API clients that expect to see "+\" as the
>> token as a sign that they're logged out, or worse assume that's the token
>> and don't bother to fetch it.
>
>
> We had breaking API/frontend
On 2016-09-29 1:00 PM, Brian Wolff wrote:
> Personally, my preferred solution [0] [I might be biased in evaluating
> them] would be to base the CSRF token on a session cookie if one
> exists. If one does not exist, use a HMAC of the users IP addressed,
> keyed using a server side secret (The only
On Thu, Sep 29, 2016 at 1:37 PM, Brad Jorsch (Anomie) wrote:
> On Thu, Sep 29, 2016 at 4:00 PM, Brian Wolff wrote:
>
> > This way it will work for users without cookies (Maybe none exist, but I
> > like the idea you can edit wikipedia without cookies)
On Thu, Sep 29, 2016 at 4:00 PM, Brian Wolff wrote:
> This way it will work for users without cookies (Maybe none exist, but I
> like the idea you can edit wikipedia without cookies)
There have been people who disabled cookies and still wanted to be able to
use the sites.
Hi everyone:
Currently, the CSRF token for anonymous users are very predictable.
This potentially allows someone to make CSRF attacks against
non-logged in users. I would like to propose we change that. Since
this is a sort of major change, I'd appreciate everyone's feedback.
There are multiple