Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)

[Matt Palmer <mpalmer () hezmatt org>]

On Thu, Jan 17, 2013 at 02:55:59PM -0800, Scott Weeks wrote:
> ------- mpalmer () hezmatt org wrote: -------
> From: Matt Palmer <mpalmer () hezmatt org>
> [Cookies on stat.ripe.net]
>
> On Wed, Jan 16, 2013 at 11:36:25AM -0800, Shrdlu wrote:
> > The cookie stays around for a YEAR (if I let it), and has the
> > following stuff:
>
> CSRF protection is one of the few valid uses of a cookie.  
> <snip>
> By the way, if anyone *does* know of a good and reliable way to prevent CSRF
> without the need for any cookies or persistent server-side session state,
> I'd love to know how.  Ten minutes with Google hasn't provided any useful
> information.
> -----------------------------------------
>
> But, if I understand correctly, it only only if you are authenticated can
> anything bad be made to happen:
>
> https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29

[...]

> So, if someone is just looking around, why is the cookie needed?  

Primarily abuse prevention.  If I can get a few thousand people to do
something resource-heavy (or otherwise abusive, such as send an e-mail
somewhere) within a short period of time, I can conscript a whole army of
unwitting accomplices into my dastardly plan.  It isn't hard to drop exploit
code on a few hundred pre-scouted vulnerable sites for drive-by
conscription.

- Matt