-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Oct 06, 2006 at 05:14:47PM +0200, Clinton Gormley wrote: > > Users: [...] > > OK, now call me names :-) > > > > Neither of these options will work. Consider this scenario. > > 1) Joe Bloggs logs into my website and has an active session. > 2) Clicks on a link (either from an email or from content posted on my > site) to http://www.malicious-site.com/index.html > 3) That index page contains an <img src="/logo.gif" /> tag > 3) Instead of serving the image, the server at www.malicious-site.com > issues a 302 HTTP Status code which redirects Joe Bloggs to > http://my.website.com/change_password?new_password=abcde
Woah. Right. So: encode session in URL (and not in cookies) might work for this. The attacker would have to know the session (wait: there is HTTP-Referrer, right? so a cautious site would have to "clean" the session before sending the visitor to other sites. Sigh). I'm aware that I am a bit late with all that (I myself go mostly by those rules. There are just one or two sites I allow Javascript or cookies. But I know I'm preaching in the desert. Still...). Regards - -- tomás -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFFJoygBcgs9XrR2kYRAqRIAJ0dSh2edZmzLcwdFWu/1et/xsOzpgCfeJ8G QPvPQGMcUja1i+fS8SUApMA= =KqpE -----END PGP SIGNATURE-----