Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter General Help CSRF and double posting
CSRF and double posting
  • Offline spjonez
    Member
  • ***
  • Posts: 213
    Threads: 16
    Joined: Oct 2014
    Reputation: 10
#15
06-20-2016, 02:32 PM
(This post was last modified: 06-20-2016, 02:51 PM by spjonez.)

(06-20-2016, 01:49 PM)Narf Wrote: blah blah blah

What does the "A" stand for in AJAX? If you're making synchronous AJAX calls you've failed on so many levels I don't even know where to begin. I'd love to see how you manage concurrent AJAX requests with this enabled since CI's implementation uses a single valid token. I'm astounded I even had to say asynchronous as only a complete moron would send synchronous AJAX calls. The spec is even deprecating this behaviour and for good reason. Let's lock browser threads! Yay!

If you aren't vulnerable to XSS attacks, can you provide an example of a security hole created by using a single token vs a token that changes per request? I'd love to hear it because apparently the security company we paid to smash away at our app for 3 days straight wasn't able to find one.

And please, don't say "in theory if they get your token"... if they can steal it once they can steal it 100 times.
Reply


Messages In This Thread
CSRF and double posting - by PaulD - 06-18-2016, 11:03 PM
RE: CSRF and double posting - by skunkbad - 06-19-2016, 12:05 AM
RE: CSRF and double posting - by John_Betong - 06-20-2016, 09:25 PM
RE: CSRF and double posting - by skunkbad - 06-20-2016, 10:55 PM
RE: CSRF and double posting - by PaulD - 06-19-2016, 12:43 AM
RE: CSRF and double posting - by PaulD - 06-19-2016, 01:00 AM
RE: CSRF and double posting - by PaulD - 06-19-2016, 03:19 AM
RE: CSRF and double posting - by skunkbad - 06-19-2016, 09:30 AM
RE: CSRF and double posting - by PaulD - 06-19-2016, 03:06 PM
RE: CSRF and double posting - by skunkbad - 06-19-2016, 03:35 PM
RE: CSRF and double posting - by PaulD - 06-19-2016, 05:59 PM
RE: CSRF and double posting - by spjonez - 06-20-2016, 11:18 AM
RE: CSRF and double posting - by Narf - 06-20-2016, 12:26 PM
RE: CSRF and double posting - by spjonez - 06-20-2016, 12:37 PM
RE: CSRF and double posting - by Narf - 06-20-2016, 01:49 PM
RE: CSRF and double posting - by spjonez - 06-20-2016, 02:32 PM
RE: CSRF and double posting - by PaulD - 06-20-2016, 01:46 PM
RE: CSRF and double posting - by PaulD - 06-20-2016, 04:02 PM
RE: CSRF and double posting - by spjonez - 06-20-2016, 07:00 PM
RE: CSRF and double posting - by Narf - 06-21-2016, 03:38 AM
RE: CSRF and double posting - by spjonez - 06-21-2016, 08:54 AM
RE: CSRF and double posting - by Narf - 06-22-2016, 05:14 AM
RE: CSRF and double posting - by Martin7483 - 06-23-2016, 03:35 AM



Theme © iAndrew 2016 - Forum software by © MyBB