Fixed link to CSRF checks
This commit is contained in:
Konstantin Filtschew
GitHub
parent
ebdd6c22a8
commit
c1ab4502a7
|
|
@ -324,7 +324,7 @@ This lets the expected CSRF token outlive the session.
|
||||||
+
|
+
|
||||||
One might ask why the expected CSRF token is not stored in a cookie by default.
|
One might ask why the expected CSRF token is not stored in a cookie by default.
|
||||||
This is because there are known exploits in which headers (for example, to specify the cookies) can be set by another domain.
|
This is because there are known exploits in which headers (for example, to specify the cookies) can be set by another domain.
|
||||||
This is the same reason Ruby on Rails https://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails/[no longer skips a CSRF checks when the header X-Requested-With is present].
|
This is the same reason Ruby on Rails https://rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails[no longer skips a CSRF checks when the header X-Requested-With is present].
|
||||||
See https://web.archive.org/web/20210221120355/https://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html[this webappsec.org thread] for details on how to perform the exploit.
|
See https://web.archive.org/web/20210221120355/https://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html[this webappsec.org thread] for details on how to perform the exploit.
|
||||||
Another disadvantage is that by removing the state (that is, the timeout), you lose the ability to forcibly invalidate the token if it is compromised.
|
Another disadvantage is that by removing the state (that is, the timeout), you lose the ability to forcibly invalidate the token if it is compromised.
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue