[pLog-svn] Anti CSRF solution

Matt Wood matt at woodzy.com
Sun Nov 25 15:25:37 EST 2007


I think this would be a poor addition. This code just prevents other
pages from linking directly to your resources. This does nothing to
protect anyone from preforming CSRF attacks from your site. The name
CSRFx is deceiving. It should really be named, "A simple script to add
nonces to selected pages on your php application". It is also filled
with bugs with how it will add nonces to the output page.

I spent a few minutes glancing over the small amount of code this
project is composed of...

This is why I don't like it...
1. This would add two queries to every request, one being a select
(not a big deal); one being an insert (a bigger deal). These queries
are also NOT cache-able, thus would also erase good cache entries in
your DB's query caching mechanism.
2. Does not protect against CSRF attacks from your site, it infact
will release your "sensative" token to any actual CSRF attacks.
3. This will also likely confuse search engine crawlers.
4. This will also eliminate people linking directly to your site's
content. How can that be helpful.

Perhaps the only place this is really applicable is for any resources
your site hosts.

On Nov 23, 2007 2:30 AM, Mark Wu <mark.wu at markplace.net> wrote:
>
>
> I know we discussion this issue before, but seems there is no soluton for
> this.
>
> This come the code from google code, maybe we can borrow the idea from this
> tool
>
> http://code.google.com/p/csrfx/
>
> Mark
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>


More information about the pLog-svn mailing list