Security Basics mailing list archives
Re: Cookie Security
From: Orlin Gueorguiev <orlin () baturov com>
Date: Thu, 8 May 2008 01:54:58 +0200
На Tuesday 06 May 2008 01:47:46 Marco M. Morana написа:
Orlin Maybe I am missing something on this email thread...I would think that if the session token is changed after and before the HTTP POST of the new transaction will prevent CSRF to happen. The point is to make sure that such transaction does not exploit the implicit trust that the application has on the user browser once the authentication session is initiated, or no? More info on CSRF is here http://www.owasp.org/index.php/Testing_for_CSRF and here is the countermeasure http://www.owasp.org/index.php/CSRF_Guard
Thank you for the link. I read the articles and apparently my idea is pretty similar to this one: http://www.owasp.org/index.php/How_CSRFGuard_Works#Bypass_CSRFGuard_With_Stored_XSS Cheers, Orlin
Current thread:
- Re: Re: Re: Cookie Security ellukicq (May 01)
- <Possible follow-ups>
- Re: Re: Cookie Security Audrius (May 05)
- Re: Cookie Security Orlin Gueorguiev (May 05)
- RE: Cookie Security Marco M. Morana (May 06)
- Re: Cookie Security Orlin Gueorguiev (May 08)
- RE: Cookie Security Marco M. Morana (May 06)