Comments on: Avoiding cross site request forgery in your web apps http://markmaunder.com/2007/avoiding-cross-site-request-forgery-in-your-web-apps/ Fri, 12 Mar 2010 22:07:19 -0800 http://wordpress.org/?v=2.8.4 hourly 1 By: -= Linkage 2007.12.28 =- http://markmaunder.com/2007/avoiding-cross-site-request-forgery-in-your-web-apps/comment-page-1/#comment-587 -= Linkage 2007.12.28 =- Mon, 26 Jan 2009 15:40:20 +0000 http://markmaunder.com/2007/avoiding-cross-site-request-forgery-in-your-web-apps/#comment-587 [...] Fighting CSRF<br/> Avoiding CSRF vulnerabilities in your web apps is easy: In all forms that require a user to be authenticated, simply reauthenticate them using some user-specific transient data. [...] [...] Fighting CSRF<br/> Avoiding CSRF vulnerabilities in your web apps is easy: In all forms that require a user to be authenticated, simply reauthenticate them using some user-specific transient data. [...]

]]> By: mark http://markmaunder.com/2007/avoiding-cross-site-request-forgery-in-your-web-apps/comment-page-1/#comment-313 mark Wed, 26 Dec 2007 17:31:07 +0000 http://markmaunder.com/2007/avoiding-cross-site-request-forgery-in-your-web-apps/#comment-313 Sure, but many people don't use random session ID's but instead guarantee uniqueness by using an autoincrement field in a database. On a low traffic site an autoinc field is very easy to guess, hence the suggestion of encryption or hashing. Sure, but many people don’t use random session ID’s but instead guarantee uniqueness by using an autoincrement field in a database. On a low traffic site an autoinc field is very easy to guess, hence the suggestion of encryption or hashing.

]]> By: K http://markmaunder.com/2007/avoiding-cross-site-request-forgery-in-your-web-apps/comment-page-1/#comment-312 K Wed, 26 Dec 2007 09:52:35 +0000 http://markmaunder.com/2007/avoiding-cross-site-request-forgery-in-your-web-apps/#comment-312 "set the hidden fields value to an MD5 hash of the real session ID." If the session id is randomly generated, it doesn't make sense to encrypt it. A random string is a random string, no matter how it looks. The only possible way a md5 is more secure, is the size of the text. Then the attacker would need more time to crack it using brute force. “set the hidden fields value to an MD5 hash of the real session ID.”

If the session id is randomly generated, it doesn’t make sense to encrypt it. A random string is a random string, no matter how it looks. The only possible way a md5 is more secure, is the size of the text. Then the attacker would need more time to crack it using brute force.

]]> By: David Airey http://markmaunder.com/2007/avoiding-cross-site-request-forgery-in-your-web-apps/comment-page-1/#comment-311 David Airey Wed, 26 Dec 2007 09:35:44 +0000 http://markmaunder.com/2007/avoiding-cross-site-request-forgery-in-your-web-apps/#comment-311 Thanks for linking through to my article, and for your write-up on the situation. I appreciate it, and hope you have a fantastic new year. Thanks for linking through to my article, and for your write-up on the situation.

I appreciate it, and hope you have a fantastic new year.

]]>