Welcome Guest, Not a member yet? Register   Sign In
Storing previous URL as session data
#13

[eluser]Jelmer[/eluser]
Quote:POST, yes, URL, no. Putting an arbitrary hash in the URL is just another way of saying; please brute force me.
POST can be done unseen through unsave SWF and some other tricks, so while attacks using post are less common you can't really consider it more save then URL.
Also the token can't be valid for too long and needs to be refreshed every time another page is loaded - which is why you should enable CSRF site-wide and not through a quick fix like I posted before.

And brute-force is a bit unlikely by the way. In an MD5 hash there's 16 different characters on 32 different positions which is 3.40e38 different possibilities. If you got a very quick website your page can be loaded about 250 times per second - it would take up to 44252284503867361561508349905,297 years to break this brute force. If you make your cookie expire after 30 minutes that gives someone a 1 in 7.56e32 chance of breaking it.


Messages In This Thread
Storing previous URL as session data - by El Forum - 04-13-2010, 01:36 AM
Storing previous URL as session data - by El Forum - 04-13-2010, 01:50 AM
Storing previous URL as session data - by El Forum - 04-13-2010, 02:33 AM
Storing previous URL as session data - by El Forum - 04-13-2010, 02:39 AM
Storing previous URL as session data - by El Forum - 04-13-2010, 03:51 AM
Storing previous URL as session data - by El Forum - 04-13-2010, 05:30 AM
Storing previous URL as session data - by El Forum - 04-13-2010, 02:18 PM
Storing previous URL as session data - by El Forum - 04-13-2010, 02:35 PM
Storing previous URL as session data - by El Forum - 04-13-2010, 03:17 PM
Storing previous URL as session data - by El Forum - 04-13-2010, 08:50 PM
Storing previous URL as session data - by El Forum - 04-13-2010, 11:12 PM
Storing previous URL as session data - by El Forum - 04-14-2010, 03:19 AM
Storing previous URL as session data - by El Forum - 04-14-2010, 08:31 AM
Storing previous URL as session data - by El Forum - 04-14-2010, 08:59 AM
Storing previous URL as session data - by El Forum - 04-14-2010, 09:12 AM
Storing previous URL as session data - by El Forum - 04-14-2010, 09:38 AM
Storing previous URL as session data - by El Forum - 04-14-2010, 09:53 AM



Theme © iAndrew 2016 - Forum software by © MyBB