Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
web.py
+ new post
About this group
Join this group
Message from discussion CSRF
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Justin Davis  
View profile  
 More options Mar 14 2011, 12:46 pm
From: Justin Davis <jedavi...@gmail.com>
Date: Mon, 14 Mar 2011 09:46:47 -0700 (PDT)
Local: Mon, Mar 14 2011 12:46 pm
Subject: Re: CSRF
Print | View thread | Show original | Report this message | Find messages by this author
Why not just set a custom cookie, and use that in the form instead of
a session id? Seems a lot less hacky than browser fingerprints, and
avoids sessions.

On Mar 14, 6:50 am, Aaron Swartz <m...@aaronsw.com> wrote:

> thedod added a cookbook page about CSRF to the wiki:https://github.com/webpy/webpy.github.com/commit/33f34aedc82e040950ca...

> My feelings on this are:

> 1. If code blocks are generally useful, it should be in web.py and not
> a cookbook page
> 2. CSRF is generally useful -- web.py should have CSRF protection
> 3. The right way to add CSRF to web.py is to write up a spec and run
> it by me and a web security expert

> web.py's policy on security is generally "secure by default" but it'd
> be extremely backwards-incompatible to start requiring CSRF on all
> forms. I'm not sure what to do about this. One idea is to have a flag
> on web.application that specifies CSRF or not and then have an opt-out
> on...I guess web.input? And maybe eventually the flag could be made
> default, after enough warning. Another is to just add a new name for
> web.input (web.inputs?) and encourage people to use that instead.
> That's probably the best idea.

> Then there should be two functions built into templetor, one that
> returns a hidden input with the token and one that just returns the
> token itself.

> The main security question is: what's the token? The cookbook page
> uses a random number stored in the session. I hate sessions so I of
> course I don't like this. I'd prefer some sort of HMAC of the browser
> fingerprint, but I don't know if that's secure. This is where the
> security expert comes in. I'll ask around about this.


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2013 Google