On Thu, Oct 24, 2019 at 8:30 PM pelzflorian (Florian Pelz) <
pelzflor...@pelzflorian.de> wrote:

> Because of login CSRF the Referer header should also be verified for
> all links internal to the website (external links should strip the
> Referer header via redirect pages similar to what the code attached to
> this mail does).
> I do not know what Artanis does currently.  I will check next week.
The current Artanis will check both session token (from cookies) and the
client IP.
This method was blamed to be overkilled because some users may be in the
same LAN with a unique external IP.
But I think IPv6 will cover this world finally, so I think this would be
the best way to go.
Of course, there's no conflict to add extra verification token. Patches or
proposals are welcome. ;-)

Best regards.

Reply via email to