nanog mailing list archives

Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...)

From: Matt Palmer <mpalmer () hezmatt org>
Date: Fri, 18 Jan 2013 09:38:53 +1100

[Cookies on stat.ripe.net]

On Wed, Jan 16, 2013 at 11:36:25AM -0800, Shrdlu wrote:

The cookie stays around for a YEAR (if I let it), and has the
following stuff:

Name: stat-csrftoken
Content: 7f12a95b8e274ab940287407a14fc348


[...]

To your credit, you only ask once, but you ought to ask zero times.


CSRF protection is one of the few valid uses of a cookie.  It shouldn't need
to be set on every page, though, and it should be cleared immediately after
the form submission.  It's typically a lot easier in the site code just to
set it once and be done with it.

By the way, if anyone *does* know of a good and reliable way to prevent CSRF
without the need for any cookies or persistent server-side session state,
I'd love to know how.  Ten minutes with Google hasn't provided any useful
information.

- Matt

Current thread:

Re: ripe/ncc likes cookies, (continued)
- - Re: ripe/ncc likes cookies Randy Bush (Jan 12)
    - Re: ripe/ncc likes cookies Andrew Latham (Jan 12)
    - Re: ripe/ncc likes cookies Randy Bush (Jan 12)
    - Re: ripe/ncc likes cookies Grant Ridder (Jan 12)
    - Re: ripe/ncc likes cookies Randy Bush (Jan 12)
    - RE: ripe/ncc likes cookies Keith Medcalf (Jan 12)
    - Re: ripe/ncc likes cookies Owen DeLong (Jan 14)
  - Re: Dreamhost hijacking my prefix... john (Jan 16)
    - Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Shrdlu (Jan 16)
    - Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) john (Jan 17)
    - Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Matt Palmer (Jan 17)
    - Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) . (Jan 18)
    - Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Matt Palmer (Jan 19)
    - Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) George Herbert (Jan 19)
    - Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) Matt Palmer (Jan 20)
    - Re: Suggestions for the future on your web site: (was cookies, and before that Re: Dreamhost hijacking my prefix...) George Herbert (Jan 20)