Closed chytreg closed 11 years ago
Billion :+1:
Any objections?
Yes, security. Storing CSRF token in cookies is vulnerable to session fixation. Fetching it from meta is ok.
Example or source pls.
Best regards Dariusz Gertych
2013/8/21 Adam Stankiewicz notifications@github.com
Yes, security. Storing CSRF token in cookies is vulnerable to session fixation. Fetching it from meta is ok.
— Reply to this email directly or view it on GitHubhttps://github.com/monterail/guidelines/pull/177#issuecomment-23018386 .
@sheerun http://stackoverflow.com/questions/4463422/csrf-can-i-use-a-cookie
Best regards Dariusz Gertych
2013/8/21 Dariusz Gertych dariusz.gertych@monterail.com
Example or source pls.
Best regards Dariusz Gertych
2013/8/21 Adam Stankiewicz notifications@github.com
Yes, security. Storing CSRF token in cookies is vulnerable to session fixation. Fetching it from meta is ok.
— Reply to this email directly or view it on GitHubhttps://github.com/monterail/guidelines/pull/177#issuecomment-23018386 .
Think I found: http://homakov.blogspot.com.es/2013/06/cookie-forcing-protection-made-easy.html :( @teamon @jandudulski
Yup, exactly.
Insecure!!!
Homakov :heart:
For the record, nie wiedziałem o tym poście :D
Imho cleaner and more solid solution than set X-CSRF-Token on Angular site (source).
Had some problems with token setting when I run test on poltergeist or capybara-webkit. If you want to use client side more solid solution is to use:
or the cookie solution which I prefer.