From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail
From: <tomas@tuxteam.de>
Newsgroups: gmane.lisp.guile.user
Subject: Re: mailmam, web bridge, forum, p2p
Date: Sat, 26 Oct 2019 13:31:16 +0200
Message-ID: <20191026113116.GD22804@tuxteam.de>
References: <20191023113724.bf055453852ec206af8d7bef@gmail.com>
 <20191023112544.5s65wrzbexnlsj22@pelzflorian.localdomain>
 <20191023123343.wanooc44orpyo7tk@pelzflorian.localdomain>
 <c554dfa9-147b-92eb-9711-e366f2f6e9a8@posteo.de>
 <CAPjoZodXrcUMAbHMas_Q3GKEGKyc8pwapWoBMM-U9eYXGwJ3-g@mail.gmail.com>
 <CAL7_Mo8aN8Op70+AZh44nrBehJdgLWPNhUgsWR-o7NNQ2u6rxQ@mail.gmail.com>
 <20191024123023.rvedpc5uqrm5ku6v@pelzflorian.localdomain>
 <20191025060845.iu7cr5bwcjdsprhn@pelzflorian.localdomain>
 <87y2x83z6h.fsf@gnu.org>
 <20191026093506.qbox46mcjt747pxo@pelzflorian.localdomain>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature"; boundary="YToU2i3Vx8H2dn7O"
Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226";
	logging-data="236644"; mail-complaints-to="usenet@blaine.gmane.org"
User-Agent: Mutt/1.5.21 (2010-09-15)
To: guile-user@gnu.org
Original-X-From: guile-user-bounces+guile-user=m.gmane.org@gnu.org Sat Oct 26 13:32:47 2019
Return-path: <guile-user-bounces+guile-user=m.gmane.org@gnu.org>
Envelope-to: guile-user@m.gmane.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.89)
	(envelope-from <guile-user-bounces+guile-user=m.gmane.org@gnu.org>)
	id 1iOKJK-000zQ5-QK
	for guile-user@m.gmane.org; Sat, 26 Oct 2019 13:32:46 +0200
Original-Received: from localhost ([::1]:39760 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guile-user-bounces+guile-user=m.gmane.org@gnu.org>)
	id 1iOKJH-0000hc-55
	for guile-user@m.gmane.org; Sat, 26 Oct 2019 07:32:43 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:35087)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <tomas@tuxteam.de>) id 1iOKHv-0000Y8-Fj
 for guile-user@gnu.org; Sat, 26 Oct 2019 07:31:20 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <tomas@tuxteam.de>) id 1iOKHu-0003X1-Ak
 for guile-user@gnu.org; Sat, 26 Oct 2019 07:31:19 -0400
Original-Received: from mail.tuxteam.de ([5.199.139.25]:32819)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <tomas@tuxteam.de>) id 1iOKHu-0003Un-48
 for guile-user@gnu.org; Sat, 26 Oct 2019 07:31:18 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tuxteam.de;
 s=mail; 
 h=From:In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:Date;
 bh=3vmSZ5CxIxWs6iguoT1RUw21UsxKTu+ostzGWxVA8Xk=; 
 b=AqvmLgiob2DnNQGTi+S3ohJ9EeXrdIRByC+WzbQKSMY1EHkdU8igeDEJ7YBXwVOhi3X01A0sXV4YQmr1/lRc0p4hgYkTSDFDe2yca/hgesMkJacUxYBjPjMbNMiXKBZ51cOtNwF0jdzliPlZ4y8noYYNi//P8aQr09lY+9lLqi6RrxZ5y+eM6rSvuyKWv+Ptx4hbslIW7k/7KzyW937DgOSXQolGHTOjhSCUqS40Jiioc4rzMKiXdBgghskhxGK0rUUz3OEz7TVq0/W7uhMlQ/M1ZdAaDH11NTUh/QYYQzMTqJJMC8DAWwTagjla6bu+w2WvwfYX4X4Q4kDt+NxkCg==;
Original-Received: from tomas by mail.tuxteam.de with local (Exim 4.80)
 (envelope-from <tomas@tuxteam.de>) id 1iOKHs-0006AB-Ns
 for guile-user@gnu.org; Sat, 26 Oct 2019 13:31:16 +0200
Content-Disposition: inline
In-Reply-To: <20191026093506.qbox46mcjt747pxo@pelzflorian.localdomain>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy]
X-Received-From: 5.199.139.25
X-BeenThere: guile-user@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: General Guile related discussions <guile-user.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guile-user>,
 <mailto:guile-user-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guile-user>
List-Post: <mailto:guile-user@gnu.org>
List-Help: <mailto:guile-user-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guile-user>,
 <mailto:guile-user-request@gnu.org?subject=subscribe>
Errors-To: guile-user-bounces+guile-user=m.gmane.org@gnu.org
Original-Sender: "guile-user" <guile-user-bounces+guile-user=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.lisp.guile.user:15851
Archived-At: <http://permalink.gmane.org/gmane.lisp.guile.user/15851>


--YToU2i3Vx8H2dn7O
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Oct 26, 2019 at 11:35:06AM +0200, pelzflorian (Florian Pelz) wrote:
> On Sat, Oct 26, 2019 at 12:31:34AM -0400, Mike Gerwitz wrote:
> > On Fri, Oct 25, 2019 at 08:08:45 +0200, pelzflorian (Florian Pelz) wrot=
e:
> > > So you would use both a cookie to retain login state and then only for
> > > sensitive requests additionally use nonces to prevent CSRF.  Would you
> > > use POST for all (sensitive) requests after login?
> >=20
> > GET requests are supposed to retrieve information, not modify it, and
> > should be indempotent.  Since they should have no meaningful
> > side-effects, CSRF shouldn't have any meaningful action to
> > exploit.
>=20
> You are right.  That makes sense.  We need not abstain from cookies
> and with cookies we can have GET requests retain session state and
> then for anything sensitive use a nonce, whether GET or POST,
> i.e. write code for links to include a nonce and verify nonces.
> Thank you!

You can still have session state in the URL and keep GET idempotent
(there might be other reasons to use cookies, though: I've yet to be
convinced ;-)

Cheers
-- tom=C3=A1s

--YToU2i3Vx8H2dn7O
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAl20LoQACgkQBcgs9XrR2kaBsQCfaxwRYZRtUSnHU63WNAC7Jt/K
7zAAn2NpokAPqic1Zz+Gt5htpfLGucYS
=LMOM
-----END PGP SIGNATURE-----

--YToU2i3Vx8H2dn7O--