On Fri, Feb 11, 2011 at 1:07 AM, Daniel Roseman wrote:
> On Thursday, February 10, 2011 4:48:05 PM UTC, Brian Craft wrote:
>>
>> I'll have to look at this in more detail, but two notes, off-the-top.
>>
>> First, port 80 is kept open because the browser will try port 80 if
On Thursday, February 10, 2011 4:48:05 PM UTC, Brian Craft wrote:
>
> I'll have to look at this in more detail, but two notes, off-the-top.
>
> First, port 80 is kept open because the browser will try port 80 if
> the user types in the url without the protocol. On port 80 all we do
> is issue a
I'll have to look at this in more detail, but two notes, off-the-top.
First, port 80 is kept open because the browser will try port 80 if
the user types in the url without the protocol. On port 80 all we do
is issue a redirect to https, but the client will have spilled the
cookies by then.
On Thu, Feb 10, 2011 at 5:21 AM, Lior Sion wrote:
> It's been a while since I dealt with those things, but what about this
> scenario:
>
> The attacker detects the CSRF code using an attack resembling the
> scenario here:
>
>
It's been a while since I dealt with those things, but what about this
scenario:
The attacker detects the CSRF code using an attack resembling the
scenario here:
http://wiki.developerforce.com/index.php/Secure_Coding_Secure_Communications#Secure_Communications_and_Cookies
[to save some time,
On Wed, Feb 9, 2011 at 11:51 AM, Brian Craft wrote:
> I thought, rather, that the csrf token was a cookie that was put in a
> hidden form field.
You're absolutely right; I wasn't thinking about that side of the token.
> With firebug or webkit dev tools you can see the
I thought, rather, that the csrf token was a cookie that was put in a
hidden form field.
With firebug or webkit dev tools you can see the django csrf token in
the cookies. I would also refer you to middleware/csrf.py, where you
can see it doing the set_cookie.
I thought the security of the csrf
On Wed, Feb 9, 2011 at 11:23 AM, Brian Craft wrote:
> I notice that the csrf token is not secure, i.e. the Set-Cookie is
> constructed w/o the "secure" option, so the browser will send it
> in-the-clear. It's trivial, then, for a 3rd party to discover the csrf
> token.
>
I notice that the csrf token is not secure, i.e. the Set-Cookie is
constructed w/o the "secure" option, so the browser will send it
in-the-clear. It's trivial, then, for a 3rd party to discover the csrf
token.
Am I missing something?
--
You received this message because you are subscribed to
9 matches
Mail list logo