From: "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de>
To: Amirouche Boubekki <amirouche.boubekki@gmail.com>,
Nala Ginrut <nalaginrut@gmail.com>, Mike Gerwitz <mtg@gnu.org>,
Zelphir Kaltstahl <zelphirkaltstahl@posteo.de>
Cc: Guile User <guile-user@gnu.org>
Subject: Re: mailmam, web bridge, forum, p2p (was: Diversification)
Date: Fri, 25 Oct 2019 08:08:45 +0200 [thread overview]
Message-ID: <20191025060845.iu7cr5bwcjdsprhn@pelzflorian.localdomain> (raw)
In-Reply-To: <20191024123023.rvedpc5uqrm5ku6v@pelzflorian.localdomain>
On Fri, Oct 25, 2019 at 07:42:41AM +0800, Nala Ginrut wrote:
> Yes, you need to login if you change IP, but the last IP keeps session.
Does checking the IP enhance security in any way? There are some
(few) reasons IPs may change.
> BTW, encoding token in URL is bad for SEO.
>
That is interesting, I did not think of that. Then again, browsing
the mailing list would be possible without login, i.e. without token,
so URLs would be clean for a search engine crawler. I do not know if
crawlers should ever have a session on other Artanis sites.
On Thu, Oct 24, 2019 at 09:39:04PM -0400, Mike Gerwitz wrote:
> CSRF mitigation and session tokens are separate concerns. You can mix
> them, but that leads to complexity. The typical mitigation is to just
> to use nonces for sensitive requests (e.g. place the nonce in a hidden
> form field to be posted with the form itself). If you're using nonces,
> there's nothing wrong with cookies.
>
> Passing session tokens via GET requests is a bad idea, because that
> leaks the token. You can change the session token after every single
> request, but that leads to a host of other issues: you can't have
> multiple tabs open to the same site, you have to deal with synchronizing
> the new token potentially across multiple systems which complicates load
> balancing and SSO, etc.
>
So you would use both a cookie to retain login state and then only for
sensitive requests additionally use nonces to prevent CSRF. Would you
use POST for all (sensitive) requests after login?
I had not even thought of SSO. Do we want that? Can we hope for
using that?
> Checking the referrer isn't a good security measure. For example, if
> the legitimate referrer were vulnerable to XSS, open redirects, or a
> host of other vulnerabilities, then an attacker could circumvent it by
> having the CSRF attack originate from that website.
>
I read Amirouche’s owasp link which describes checking the referer
only as an additional “Defense in Depth” security measure in the hope
of preventing what it calls login CSRF, i.e. giving someone a login
from someone else without them noticing (if I understand correctly).
A cookie would prevent that anyway, I suppose.
Regards,
Florian
next prev parent reply other threads:[~2019-10-25 6:08 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-20 6:10 Diversification [ branched from Re: conflicts in the gnu project now affect guile] Todor Kondić
2019-10-20 6:14 ` John Cowan
2019-10-21 6:35 ` Arne Babenhauserheide
2019-10-21 13:45 ` Amirouche Boubekki
2019-10-23 6:16 ` Amirouche Boubekki
2019-10-23 6:27 ` Nala Ginrut
2019-10-23 6:48 ` pelzflorian (Florian Pelz)
2019-10-23 10:37 ` Chris Vine
2019-10-23 11:25 ` pelzflorian (Florian Pelz)
2019-10-23 12:33 ` pelzflorian (Florian Pelz)
2019-10-23 13:47 ` tomas
2019-10-23 14:10 ` pelzflorian (Florian Pelz)
2019-10-23 19:09 ` Mikael Djurfeldt
2019-10-23 19:26 ` pelzflorian (Florian Pelz)
2019-10-23 19:19 ` Zelphir Kaltstahl
2019-10-24 1:01 ` Nala Ginrut
2019-10-24 9:19 ` pelzflorian (Florian Pelz)
2019-10-24 9:35 ` mailmam, web bridge, forum, p2p (was: Diversification) Amirouche Boubekki
2019-10-24 12:30 ` pelzflorian (Florian Pelz)
2019-10-24 14:15 ` Nala Ginrut
2019-10-24 16:39 ` Zelphir Kaltstahl
2019-10-24 23:42 ` Nala Ginrut
2019-10-25 1:39 ` mailmam, web bridge, forum, p2p Mike Gerwitz
2019-10-26 7:48 ` tomas
2019-10-26 10:35 ` Nala Ginrut
2019-10-26 11:34 ` tomas
2019-10-27 4:50 ` Mike Gerwitz
2019-10-27 5:32 ` Mike Gerwitz
2019-10-27 8:50 ` tomas
2019-10-27 8:36 ` tomas
2019-10-27 14:26 ` Keith Wright
2019-10-27 19:28 ` Zelphir Kaltstahl
2019-10-25 6:08 ` pelzflorian (Florian Pelz) [this message]
2019-10-25 6:23 ` mailmam, web bridge, forum, p2p (was: Diversification) Nala Ginrut
2019-10-26 4:31 ` mailmam, web bridge, forum, p2p Mike Gerwitz
2019-10-26 9:35 ` pelzflorian (Florian Pelz)
2019-10-26 11:31 ` tomas
2019-10-24 13:32 ` mailmam, web bridge, forum, p2p (was: Diversification) tomas
2019-10-24 15:03 ` Nala Ginrut
2019-10-24 15:12 ` tomas
2019-10-24 16:35 ` Zelphir Kaltstahl
2019-10-26 8:04 ` tomas
2019-10-26 9:42 ` pelzflorian (Florian Pelz)
2019-10-26 11:31 ` tomas
2019-10-25 11:30 ` Mikael Djurfeldt
2019-10-25 12:53 ` Nala Ginrut
2020-09-05 6:15 ` Diversification [ branched from Re: conflicts in the gnu project now affect guile] Joshua Branson via General Guile related discussions
2020-09-05 11:50 ` Web development Zelphir Kaltstahl
2020-09-05 13:09 ` Ricardo Wurmus
2019-10-28 11:04 ` mailman web interface (was: Diversification) pelzflorian (Florian Pelz)
2020-07-08 12:32 ` pelzflorian (Florian Pelz)
2020-09-05 6:21 ` mailman web interface Joshua Branson via General Guile related discussions
2020-09-05 7:53 ` pelzflorian (Florian Pelz)
2020-09-05 13:32 ` Joshua Branson
2019-10-23 13:43 ` Diversification [ branched from Re: conflicts in the gnu project now affect guile] tomas
2019-10-23 17:39 ` Chris Vine
2019-10-23 19:58 ` Mailman web interface [was: Re: Diversification] pelzflorian (Florian Pelz)
2019-10-23 20:02 ` Diversification [ branched from Re: conflicts in the gnu project now affect guile] pelzflorian (Florian Pelz)
2019-10-26 8:14 ` tomas
2019-10-26 9:03 ` pelzflorian (Florian Pelz)
2019-10-26 11:26 ` tomas
2019-10-26 13:02 ` Zelphir Kaltstahl
2019-10-26 15:23 ` tomas
2019-10-26 16:47 ` pelzflorian (Florian Pelz)
2019-10-26 17:09 ` pelzflorian (Florian Pelz)
[not found] ` <874kzslwq0.fsf@elephly.net>
2019-10-28 15:41 ` pelzflorian (Florian Pelz)
2019-10-23 13:45 ` tomas
2019-10-20 8:07 ` pelzflorian (Florian Pelz)
2019-10-20 8:08 ` pelzflorian (Florian Pelz)
2019-10-22 18:47 ` Mark H Weaver
2019-10-22 19:23 ` Zelphir Kaltstahl
2019-10-22 20:51 ` Arne Babenhauserheide
2019-10-22 23:24 ` Chris Vine
2019-10-23 0:57 ` Zelphir Kaltstahl
2019-10-23 6:44 ` pelzflorian (Florian Pelz)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/guile/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191025060845.iu7cr5bwcjdsprhn@pelzflorian.localdomain \
--to=pelzflorian@pelzflorian.de \
--cc=amirouche.boubekki@gmail.com \
--cc=guile-user@gnu.org \
--cc=mtg@gnu.org \
--cc=nalaginrut@gmail.com \
--cc=zelphirkaltstahl@posteo.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).