Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer
 
PerlMonks  

Re: Is your web application really secure? ("CSRF")

by Spidy (Chaplain)
on Mar 31, 2007 at 02:36 UTC ( #607601=note: print w/replies, xml ) Need Help??


in reply to Is your web application really secure? ("CSRF")

Someone I know was working on a problem like this, and used something along the lines of the tokens solution that you described. What they did is to use a user's unique user ID value, pass it through crypt(), and then embed that into their form as the token. That value would then be checked with the user ID inside the database, and if the two matched any other checks could then be run.

Replies are listed 'Best First'.
Re^2: Is your web application really secure? ("CSRF")
by tinita (Parson) on Apr 01, 2007 at 00:19 UTC
    i would add a random string to it, because if you know that it's the crypted user id you can still attack a user. of course then a corrupted website would only work for one user at a time, so it's much safer than without tokens.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://607601]
help
Chatterbox?
[Discipulus]: ah! ++choroba for seek $FH, $. = 0, 0;
[Discipulus]: anyway I lost 15 minutes with lc $str used by me instead of $str = lc $str

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (5)
As of 2017-06-26 11:23 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    How many monitors do you use while coding?















    Results (577 votes). Check out past polls.