[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mailmam, web bridge, forum, p2p

From: tomas
Subject: Re: mailmam, web bridge, forum, p2p
Date: Sat, 26 Oct 2019 13:31:16 +0200
User-agent: Mutt/1.5.21 (2010-09-15)

On Sat, Oct 26, 2019 at 11:35:06AM +0200, pelzflorian (Florian Pelz) wrote:
> On Sat, Oct 26, 2019 at 12:31:34AM -0400, Mike Gerwitz wrote:
> > On Fri, Oct 25, 2019 at 08:08:45 +0200, pelzflorian (Florian Pelz) wrote:
> > > So you would use both a cookie to retain login state and then only for
> > > sensitive requests additionally use nonces to prevent CSRF.  Would you
> > > use POST for all (sensitive) requests after login?
> > 
> > GET requests are supposed to retrieve information, not modify it, and
> > should be indempotent.  Since they should have no meaningful
> > side-effects, CSRF shouldn't have any meaningful action to
> > exploit.
> You are right.  That makes sense.  We need not abstain from cookies
> and with cookies we can have GET requests retain session state and
> then for anything sensitive use a nonce, whether GET or POST,
> i.e. write code for links to include a nonce and verify nonces.
> Thank you!

You can still have session state in the URL and keep GET idempotent
(there might be other reasons to use cookies, though: I've yet to be
convinced ;-)

-- tomás

Attachment: signature.asc
Description: Digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]