From: Mike Gerwitz <mtg@gnu.org>
To: "pelzflorian \(Florian Pelz\)" <pelzflorian@pelzflorian.de>
Cc: Guile User <guile-user@gnu.org>
Subject: Re: mailmam, web bridge, forum, p2p
Date: Thu, 24 Oct 2019 21:39:04 -0400 [thread overview]
Message-ID: <87a79peh8n.fsf@gnu.org> (raw)
In-Reply-To: <20191024123023.rvedpc5uqrm5ku6v@pelzflorian.localdomain> (pelzflorian@pelzflorian.de's message of "Thu, 24 Oct 2019 14:30:23 +0200")
[-- Attachment #1: Type: text/plain, Size: 2237 bytes --]
On Thu, Oct 24, 2019 at 14:30:23 +0200, pelzflorian (Florian Pelz) wrote:
> Ordinary HTTP cookies are bad practice for session tokens because of
> CSRF. If you want a normal link to another page on your site but
> retain the login session, you should not use cookies for that.
> Session tokens must therefore be supplied in HTTP parameters (GET or
> POST). So when a logged in user makes a request, all hyperlinks in
> the HTML response (except logout) need to have their HTML code
> rewritten by the dynamic web server to contain the session token in
> the GET parameters. Similarly, all POST forms should contain the
> session token as a parameter value. Thus the session token is only
> supplied in GET or POST requests from the same site and same session
> and no CSRF is possible anymore. Since the URL used in a GET request
> will be exposed to the user, the session token should be invalidated
> after verification and the response should contain a new session token
> in its HTML code for hyperlinks and forms. The downside is that URLs
> are less pretty but meh…
CSRF mitigation and session tokens are separate concerns. You can mix
them, but that leads to complexity. The typical mitigation is to just
to use nonces for sensitive requests (e.g. place the nonce in a hidden
form field to be posted with the form itself). If you're using nonces,
there's nothing wrong with cookies.
Passing session tokens via GET requests is a bad idea, because that
leaks the token. You can change the session token after every single
request, but that leads to a host of other issues: you can't have
multiple tabs open to the same site, you have to deal with synchronizing
the new token potentially across multiple systems which complicates load
balancing and SSO, etc.
Checking the referrer isn't a good security measure. For example, if
the legitimate referrer were vulnerable to XSS, open redirects, or a
host of other vulnerabilities, then an attacker could circumvent it by
having the CSRF attack originate from that website.
--
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]
next prev parent reply other threads:[~2019-10-25 1:39 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-20 6:10 Diversification [ branched from Re: conflicts in the gnu project now affect guile] Todor Kondić
2019-10-20 6:14 ` John Cowan
2019-10-21 6:35 ` Arne Babenhauserheide
2019-10-21 13:45 ` Amirouche Boubekki
2019-10-23 6:16 ` Amirouche Boubekki
2019-10-23 6:27 ` Nala Ginrut
2019-10-23 6:48 ` pelzflorian (Florian Pelz)
2019-10-23 10:37 ` Chris Vine
2019-10-23 11:25 ` pelzflorian (Florian Pelz)
2019-10-23 12:33 ` pelzflorian (Florian Pelz)
2019-10-23 13:47 ` tomas
2019-10-23 14:10 ` pelzflorian (Florian Pelz)
2019-10-23 19:09 ` Mikael Djurfeldt
2019-10-23 19:26 ` pelzflorian (Florian Pelz)
2019-10-23 19:19 ` Zelphir Kaltstahl
2019-10-24 1:01 ` Nala Ginrut
2019-10-24 9:19 ` pelzflorian (Florian Pelz)
2019-10-24 9:35 ` mailmam, web bridge, forum, p2p (was: Diversification) Amirouche Boubekki
2019-10-24 12:30 ` pelzflorian (Florian Pelz)
2019-10-24 14:15 ` Nala Ginrut
2019-10-24 16:39 ` Zelphir Kaltstahl
2019-10-24 23:42 ` Nala Ginrut
2019-10-25 1:39 ` Mike Gerwitz [this message]
2019-10-26 7:48 ` mailmam, web bridge, forum, p2p tomas
2019-10-26 10:35 ` Nala Ginrut
2019-10-26 11:34 ` tomas
2019-10-27 4:50 ` Mike Gerwitz
2019-10-27 5:32 ` Mike Gerwitz
2019-10-27 8:50 ` tomas
2019-10-27 8:36 ` tomas
2019-10-27 14:26 ` Keith Wright
2019-10-27 19:28 ` Zelphir Kaltstahl
2019-10-25 6:08 ` mailmam, web bridge, forum, p2p (was: Diversification) pelzflorian (Florian Pelz)
2019-10-25 6:23 ` Nala Ginrut
2019-10-26 4:31 ` mailmam, web bridge, forum, p2p Mike Gerwitz
2019-10-26 9:35 ` pelzflorian (Florian Pelz)
2019-10-26 11:31 ` tomas
2019-10-24 13:32 ` mailmam, web bridge, forum, p2p (was: Diversification) tomas
2019-10-24 15:03 ` Nala Ginrut
2019-10-24 15:12 ` tomas
2019-10-24 16:35 ` Zelphir Kaltstahl
2019-10-26 8:04 ` tomas
2019-10-26 9:42 ` pelzflorian (Florian Pelz)
2019-10-26 11:31 ` tomas
2019-10-25 11:30 ` Mikael Djurfeldt
2019-10-25 12:53 ` Nala Ginrut
2020-09-05 6:15 ` Diversification [ branched from Re: conflicts in the gnu project now affect guile] Joshua Branson via General Guile related discussions
2020-09-05 11:50 ` Web development Zelphir Kaltstahl
2020-09-05 13:09 ` Ricardo Wurmus
2019-10-28 11:04 ` mailman web interface (was: Diversification) pelzflorian (Florian Pelz)
2020-07-08 12:32 ` pelzflorian (Florian Pelz)
2020-09-05 6:21 ` mailman web interface Joshua Branson via General Guile related discussions
2020-09-05 7:53 ` pelzflorian (Florian Pelz)
2020-09-05 13:32 ` Joshua Branson
2019-10-23 13:43 ` Diversification [ branched from Re: conflicts in the gnu project now affect guile] tomas
2019-10-23 17:39 ` Chris Vine
2019-10-23 19:58 ` Mailman web interface [was: Re: Diversification] pelzflorian (Florian Pelz)
2019-10-23 20:02 ` Diversification [ branched from Re: conflicts in the gnu project now affect guile] pelzflorian (Florian Pelz)
2019-10-26 8:14 ` tomas
2019-10-26 9:03 ` pelzflorian (Florian Pelz)
2019-10-26 11:26 ` tomas
2019-10-26 13:02 ` Zelphir Kaltstahl
2019-10-26 15:23 ` tomas
2019-10-26 16:47 ` pelzflorian (Florian Pelz)
2019-10-26 17:09 ` pelzflorian (Florian Pelz)
[not found] ` <874kzslwq0.fsf@elephly.net>
2019-10-28 15:41 ` pelzflorian (Florian Pelz)
2019-10-23 13:45 ` tomas
2019-10-20 8:07 ` pelzflorian (Florian Pelz)
2019-10-20 8:08 ` pelzflorian (Florian Pelz)
2019-10-22 18:47 ` Mark H Weaver
2019-10-22 19:23 ` Zelphir Kaltstahl
2019-10-22 20:51 ` Arne Babenhauserheide
2019-10-22 23:24 ` Chris Vine
2019-10-23 0:57 ` Zelphir Kaltstahl
2019-10-23 6:44 ` pelzflorian (Florian Pelz)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/guile/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a79peh8n.fsf@gnu.org \
--to=mtg@gnu.org \
--cc=guile-user@gnu.org \
--cc=pelzflorian@pelzflorian.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).