Re: csrf cookie security

2011-02-10 Thread Russell Keith-Magee
On Fri, Feb 11, 2011 at 1:07 AM, Daniel Roseman wrote: > On Thursday, February 10, 2011 4:48:05 PM UTC, Brian Craft wrote: >> >> I'll have to look at this in more detail, but two notes, off-the-top. >> >> First, port 80 is kept open because the browser will try port 80 if

Re: csrf cookie security

2011-02-10 Thread Daniel Roseman
On Thursday, February 10, 2011 4:48:05 PM UTC, Brian Craft wrote: > > I'll have to look at this in more detail, but two notes, off-the-top. > > First, port 80 is kept open because the browser will try port 80 if > the user types in the url without the protocol. On port 80 all we do > is issue a

Re: csrf cookie security

2011-02-10 Thread Brian Craft
I'll have to look at this in more detail, but two notes, off-the-top. First, port 80 is kept open because the browser will try port 80 if the user types in the url without the protocol. On port 80 all we do is issue a redirect to https, but the client will have spilled the cookies by then.

Re: csrf cookie security

2011-02-10 Thread Ian Clelland
On Thu, Feb 10, 2011 at 5:21 AM, Lior Sion wrote: > It's been a while since I dealt with those things, but what about this > scenario: > > The attacker detects the CSRF code using an attack resembling the > scenario here: > >

Re: csrf cookie security

2011-02-10 Thread Lior Sion
It's been a while since I dealt with those things, but what about this scenario: The attacker detects the CSRF code using an attack resembling the scenario here: http://wiki.developerforce.com/index.php/Secure_Coding_Secure_Communications#Secure_Communications_and_Cookies [to save some time,

Re: csrf cookie security

2011-02-09 Thread Ian Clelland
On Wed, Feb 9, 2011 at 11:51 AM, Brian Craft wrote: > I thought, rather, that the csrf token was a cookie that was put in a > hidden form field. You're absolutely right; I wasn't thinking about that side of the token. > With firebug or webkit dev tools you can see the

Re: csrf cookie security

2011-02-09 Thread Brian Craft
I thought, rather, that the csrf token was a cookie that was put in a hidden form field. With firebug or webkit dev tools you can see the django csrf token in the cookies. I would also refer you to middleware/csrf.py, where you can see it doing the set_cookie. I thought the security of the csrf

Re: csrf cookie security

2011-02-09 Thread Ian Clelland
On Wed, Feb 9, 2011 at 11:23 AM, Brian Craft wrote: > I notice that the csrf token is not secure, i.e. the Set-Cookie is > constructed w/o the "secure" option, so the browser will send it > in-the-clear. It's trivial, then, for a 3rd party to discover the csrf > token. >

csrf cookie security

2011-02-09 Thread Brian Craft
I notice that the csrf token is not secure, i.e. the Set-Cookie is constructed w/o the "secure" option, so the browser will send it in-the-clear. It's trivial, then, for a 3rd party to discover the csrf token. Am I missing something? -- You received this message because you are subscribed to