On Sat, Oct 26, 2019 at 11:35:06AM +0200, pelzflorian (Florian Pelz) wrote:
> On Sat, Oct 26, 2019 at 12:31:34AM -0400, Mike Gerwitz wrote:
> > On Fri, Oct 25, 2019 at 08:08:45 +0200, pelzflorian (Florian Pelz) wrote:
> > > So you would use both a cookie to retain login state and then only for
> > > sensitive requests additionally use nonces to prevent CSRF.  Would you
> > > use POST for all (sensitive) requests after login?
> > 
> > GET requests are supposed to retrieve information, not modify it, and
> > should be indempotent.  Since they should have no meaningful
> > side-effects, CSRF shouldn't have any meaningful action to
> > exploit.
> 
> You are right.  That makes sense.  We need not abstain from cookies
> and with cookies we can have GET requests retain session state and
> then for anything sensitive use a nonce, whether GET or POST,
> i.e. write code for links to include a nonce and verify nonces.
> Thank you!

You can still have session state in the URL and keep GET idempotent
(there might be other reasons to use cookies, though: I've yet to be
convinced ;-)

Cheers
-- tomás