[WEB SECURITY] CSRF and Header Forging - your thoughts needed

Jim Manico jim at manico.net
Sun May 16 21:12:37 EDT 2010


I agree, especially if your session management mechanism supports and  
enforces a reasonable idle and absolute timeout.

Jim Manico

On May 16, 2010, at 11:55 AM, Paul Johnston  
<paul.johnston at pentest.co.uk> wrote:

> Hi,
>
> Is there any need to have a different token on each page? I don't  
> think
> so. I've always recommended that the anti-CSRF token be generated at  
> the
> same time as the session ID, and remain constant throughout the  
> session.
> Sure, changing it may add a little security, but I don't think  
> changing
> is necessary, not at all.
>
> Paul
>
> -- 
> Pentest - When a tick in the box is not enough
>
> Paul Johnston - IT Security Consultant / Tiger SST
> Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)
>
> Office: +44 (0) 161 233 0100
> Mobile: +44 (0) 7817 219 072
>
> Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
> Registered Number: 4217114 England & Wales
> Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
>
> --- 
> --- 
> ----------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list