From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: "pelzflorian (Florian Pelz)" Newsgroups: gmane.lisp.guile.user Subject: Re: mailmam, web bridge, forum, p2p (was: Diversification) Date: Fri, 25 Oct 2019 08:08:45 +0200 Message-ID: <20191025060845.iu7cr5bwcjdsprhn@pelzflorian.localdomain> References: <20191023064813.6igo2qi2cwtcz5bz@pelzflorian.localdomain> <20191023113724.bf055453852ec206af8d7bef@gmail.com> <20191023112544.5s65wrzbexnlsj22@pelzflorian.localdomain> <20191023123343.wanooc44orpyo7tk@pelzflorian.localdomain> <20191024123023.rvedpc5uqrm5ku6v@pelzflorian.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="32464"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: NeoMutt/20180716 Cc: Guile User To: Amirouche Boubekki , Nala Ginrut , Mike Gerwitz , Zelphir Kaltstahl Original-X-From: guile-user-bounces+guile-user=m.gmane.org@gnu.org Fri Oct 25 08:09:26 2019 Return-path: Envelope-to: guile-user@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iNsmr-0008I9-E5 for guile-user@m.gmane.org; Fri, 25 Oct 2019 08:09:25 +0200 Original-Received: from localhost ([::1]:55490 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iNsmp-0000dh-Kd for guile-user@m.gmane.org; Fri, 25 Oct 2019 02:09:23 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:60882) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iNsmI-0000YQ-Dn for guile-user@gnu.org; Fri, 25 Oct 2019 02:08:51 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iNsmH-0006Iq-6e for guile-user@gnu.org; Fri, 25 Oct 2019 02:08:50 -0400 Original-Received: from pelzflorian.de ([5.45.111.108]:33980 helo=mail.pelzflorian.de) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iNsmG-0006Go-NU; Fri, 25 Oct 2019 02:08:49 -0400 Original-Received: from pelzflorian.localdomain (unknown [5.45.111.108]) by mail.pelzflorian.de (Postfix) with ESMTPSA id 17CC33604DA; Fri, 25 Oct 2019 08:08:46 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=pelzflorian.de; s=mail; t=1571983726; bh=C+ni7lV7LG5QGaAgsME8FTUSrzJwXr3kp748B2T+H1Y=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=ryGANZjN1puuNaVW/AKwD/9n5Uk9pXteu0UtsupG4i/Z3Mtl3sqZkFJ81jdFlwGXQ UFePxpnDt080UotMkZDk4T1hU1NSvClTrv7p9RcWokrp6CsOHhhC11JMfto0D9kjL7 f1z1MAXb6WCugh1s8v5fzqlu72zqSWgr9l4eQcNY= Content-Disposition: inline In-Reply-To: <20191024123023.rvedpc5uqrm5ku6v@pelzflorian.localdomain> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 5.45.111.108 X-BeenThere: guile-user@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: General Guile related discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guile-user-bounces+guile-user=m.gmane.org@gnu.org Original-Sender: "guile-user" Xref: news.gmane.org gmane.lisp.guile.user:15837 Archived-At: On Fri, Oct 25, 2019 at 07:42:41AM +0800, Nala Ginrut wrote: > Yes, you need to login if you change IP, but the last IP keeps session. Does checking the IP enhance security in any way? There are some (few) reasons IPs may change. > BTW, encoding token in URL is bad for SEO. >=20 That is interesting, I did not think of that. Then again, browsing the mailing list would be possible without login, i.e. without token, so URLs would be clean for a search engine crawler. I do not know if crawlers should ever have a session on other Artanis sites. On Thu, Oct 24, 2019 at 09:39:04PM -0400, Mike Gerwitz wrote: > CSRF mitigation and session tokens are separate concerns. You can mix > them, but that leads to complexity. The typical mitigation is to just > to use nonces for sensitive requests (e.g. place the nonce in a hidden > form field to be posted with the form itself). If you're using nonces, > there's nothing wrong with cookies. >=20 > Passing session tokens via GET requests is a bad idea, because that > leaks the token. You can change the session token after every single > request, but that leads to a host of other issues: you can't have > multiple tabs open to the same site, you have to deal with synchronizin= g > the new token potentially across multiple systems which complicates loa= d > balancing and SSO, etc. >=20 So you would use both a cookie to retain login state and then only for sensitive requests additionally use nonces to prevent CSRF. Would you use POST for all (sensitive) requests after login? I had not even thought of SSO. Do we want that? Can we hope for using that? > Checking the referrer isn't a good security measure. For example, if > the legitimate referrer were vulnerable to XSS, open redirects, or a > host of other vulnerabilities, then an attacker could circumvent it by > having the CSRF attack originate from that website. >=20 I read Amirouche=E2=80=99s owasp link which describes checking the refere= r only as an additional =E2=80=9CDefense in Depth=E2=80=9D security measure= in the hope of preventing what it calls login CSRF, i.e. giving someone a login from someone else without them noticing (if I understand correctly). A cookie would prevent that anyway, I suppose. Regards, Florian