[pLog-svn] Anti CSRF solution

Ahmad Saleh ahmadfds at gmail.com
Sun Nov 25 16:26:57 EST 2007


Hi Matt

I just have some questions and some notes about what you say here.

On Nov 25, 2007 10:25 PM, Matt Wood <matt at woodzy.com> wrote:

> I think this would be a poor addition. This code just prevents other
> pages from linking directly to your resources. This does nothing to
> protect anyone from preforming CSRF attacks from your site. The name
> CSRFx is deceiving. It should really be named, "A simple script to add
> nonces to selected pages on your php application". It is also filled
> with bugs with how it will add nonces to the output page.
>
> I spent a few minutes glancing over the small amount of code this
> project is composed of...
>
> This is why I don't like it...
> 1. This would add two queries to every request, one being a select
> (not a big deal); one being an insert (a bigger deal). These queries
> are also NOT cache-able, thus would also erase good cache entries in
> your DB's query caching mechanism.
> 2. Does not protect against CSRF attacks from your site, it infact
> will release your "sensative" token to any actual CSRF attacks.


What do you mean by "from your site"  ??


> 3. This will also likely confuse search engine crawlers.


As Mark say, it just for admin pages, so there is no confusing for search
engine.


>
> 4. This will also eliminate people linking directly to your site's
> content. How can that be helpful.
>
> Perhaps the only place this is really applicable is for any resources
> your site hosts.
>
> On Nov 23, 2007 2:30 AM, Mark Wu <mark.wu at markplace.net> wrote:
> >
> >
> > I know we discussion this issue before, but seems there is no soluton
> for
> > this.
> >
> > This come the code from google code, maybe we can borrow the idea from
> this
> > tool
> >
> > http://code.google.com/p/csrfx/
> >
> > Mark
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://limedaley.com/mailman/listinfo/plog-svn
> >
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://limedaley.com/pipermail/plog-svn/attachments/20071125/4e1b10cc/attachment.htm 


More information about the pLog-svn mailing list