![nanog logo](/images/nanog-logo.png)
nanog mailing list archives
Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)
From: George Herbert <george.herbert () gmail com>
Date: Sat, 19 Jan 2013 15:54:37 -0800
On Jan 18, 2013, at 7:52 PM, Matt Palmer <mpalmer () hezmatt org> wrote:
On Fri, Jan 18, 2013 at 09:41:41AM +0100, . wrote:On 17 January 2013 23:38, Matt Palmer <mpalmer () hezmatt org> wrote: ..By the way, if anyone *does* know of a good and reliable way to prevent CSRF without the need for any cookies or persistent server-side session state, I'd love to know how. Ten minutes with Google hasn't provided any useful information.I think many people create <forms> with a secret code that is different and hopefully can't be predicted by the attackers. <form method="post"> <input type="hidden" name="id_user" value="33"> <input type="hidden" name="action" value="delete_user"> <input type="hidden" name="secret" value="5ebe2294ecd0e0f08eab7690d2a6ee69"> <input type="submit" value="Delete user"> </from> The easy way to do this is to generate secret from the md5 if time in miliseconds + a salt string, and store the secret generated serverside.Storing any state server-side is a really bad idea for scalability and reliability.
? Doing that - into a user state DB of sone sort, either external or in middleware, is routine... George William Herbert Sent from my iPhone
Current thread:
- Re: ripe/ncc likes cookies, (continued)
- Re: ripe/ncc likes cookies Grant Ridder (Jan 12)
- Re: ripe/ncc likes cookies Randy Bush (Jan 12)
- RE: ripe/ncc likes cookies Keith Medcalf (Jan 12)
- Re: ripe/ncc likes cookies Owen DeLong (Jan 14)
- Re: Dreamhost hijacking my prefix... john (Jan 16)
- Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Shrdlu (Jan 16)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) john (Jan 17)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Matt Palmer (Jan 17)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) . (Jan 18)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Matt Palmer (Jan 19)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) George Herbert (Jan 19)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Matt Palmer (Jan 20)
- Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) George Herbert (Jan 20)