CSRF Tokens In Cookies.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: CSRF Tokens In Cookies.

Post by Mordred »

kaisellgren wrote: Instead of placing a CSRF token in GET/POST, I place it in the form field name.
Field names are transported in exactly the same manner as their values, so no cigar.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: CSRF Tokens In Cookies.

Post by kaisellgren »

Mordred wrote:
kaisellgren wrote: Instead of placing a CSRF token in GET/POST, I place it in the form field name.
Field names are transported in exactly the same manner as their values, so no cigar.
Like I said, he's not paying me for this due to this reason. But if we are specific, I am not submitting token in GET or POST, im submitting token in a GET parameter which is submitted in GET.

Anyway. I guess I have to give up. :(
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: CSRF Tokens In Cookies.

Post by kaisellgren »

Update:

OWASP and Wikipedia is suggesting a new approach of using cookies to protect from CSRF. They suggest that a JS will read the cookie and put it into the form automatically. This of course does not work if HTTPOnly is enabled.

Read more: http://manicode.blogspot.com/2009/02/do ... e-and.html
André D
Forum Commoner
Posts: 55
Joined: Thu Aug 28, 2008 7:03 pm

Re: CSRF Tokens In Cookies.

Post by André D »

kaisellgren wrote:They suggest that a JS will read the cookie and put it into the form automatically.
It's an interesting approach, but in my opinion it does not satisfy the conditions of your bet because ultimately the anti-CSRF token is still submitted via POST or GET.
exesteam
Forum Newbie
Posts: 5
Joined: Mon Jan 19, 2009 6:27 pm

Re: CSRF Tokens In Cookies.

Post by exesteam »

André D wrote:
kaisellgren wrote:They suggest that a JS will read the cookie and put it into the form automatically.
It's an interesting approach, but in my opinion it does not satisfy the conditions of your bet because ultimately the anti-CSRF token is still submitted via POST or GET.
He already lost his bet...
Post Reply