On Sun, Oct 27, 2019 at 00:50:17 -0400, Mike Gerwitz wrote:
> On Sat, Oct 26, 2019 at 09:48:37 +0200, to...@tuxteam.de wrote:
>>> Passing session tokens via GET requests is a bad idea, because that
>>> leaks the token.
>>
>> Even in https?
[...]
> Back in wh
of caching isn't useful.
--
Mike Gerwitz
signature.asc
Description: PGP signature
On Fri, Oct 25, 2019 at 08:08:45 +0200, pelzflorian (Florian Pelz) wrote:
> On Thu, Oct 24, 2019 at 09:39:04PM -0400, Mike Gerwitz wrote:
>> CSRF mitigation and session tokens are separate concerns. You can mix
>> them, but that leads to complexity. The typical mitigation is to
plicates load
balancing and SSO, etc.
Checking the referrer isn't a good security measure. For example, if
the legitimate referrer were vulnerable to XSS, open redirects, or a
host of other vulnerabilities, then an attacker could circumvent it by
having the CSRF attack originate from th
n.html
We'd be happy to review it.
--
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com
signature.asc
Description: PGP signature
get it into shape where we can consider including it
> in Guile.
This is something I'm very much looking forward to---it's important work!
Thanks again for taking it on, and thanks for the update.
--
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D
turally-fixing-injection-bugs.html
Yes, it's silly for Schemers to have to worry about these issues. Which
I make obnoxiously clear to my PHP co-workers on a frequent basis.
--
Mike Gerwitz
Free Software Hacker | GNU Maintainer
http://mikegerwitz.com
FSF Member #5804 | GPG Key ID: 0x8EE30EA
