On Thu, Jan 17, 2013 at 02:55:59PM -0800, Scott Weeks wrote: > ------- mpal...@hezmatt.org wrote: ------- > From: Matt Palmer <mpal...@hezmatt.org> > [Cookies on stat.ripe.net] > > On Wed, Jan 16, 2013 at 11:36:25AM -0800, Shrdlu wrote: > > The cookie stays around for a YEAR (if I let it), and has the > > following stuff: > > CSRF protection is one of the few valid uses of a cookie. > <snip> > By the way, if anyone *does* know of a good and reliable way to prevent CSRF > without the need for any cookies or persistent server-side session state, > I'd love to know how. Ten minutes with Google hasn't provided any useful > information. > ----------------------------------------- > > But, if I understand correctly, it only only if you are authenticated can > anything bad be made to happen: > > https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
[...] > So, if someone is just looking around, why is the cookie needed? Primarily abuse prevention. If I can get a few thousand people to do something resource-heavy (or otherwise abusive, such as send an e-mail somewhere) within a short period of time, I can conscript a whole army of unwitting accomplices into my dastardly plan. It isn't hard to drop exploit code on a few hundred pre-scouted vulnerable sites for drive-by conscription. - Matt