views:

49

answers:

3

I was thinking about this and it appears POST only a little less vulnerable and somewhat harder (do to requiring the user to click something).

I read about token ids and double submitted cookies and i am not sure what the difference is

http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Disclosure_of_Token_in_URL http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Double_Submit_Cookies

Right now i have the user id (PK in my table) and a session id so you cant simply change your cookie ID and act like someone else. Now it seems like i put the session id as a token in each of my forms and check them bc attackers cant guess these tokens. However i dislike the idea of putting the session id into the page for ppl to see. But really, is there a problem with that? short of having the user copy/pasting the html is there any attacks that can happen due to the session id being in plain view in html?

A: 

The session-ID is known on client side anyway. How else would they send it with the requests?

Thomas Lötzer
A: 

Yes it is fine to have the token id in plain view. You can have it work just as well by using HttpOnlyCookies

acidzombie24
complete nonsense
Longpoke
+1  A: 

If the user can copy a link with a token in it, this is very insecure. Likewise for the current address: if you use a static session ID, a referral to an outside site or a screenshot will render the session compromised. Even if you don't have a static session ID, the user can put his mouse over a link and it will show in the bottom of his browser, and then take a screenshot, once again rendering his session compromised.

Longpoke
You have a point with the screenshot but i was assuming 1) The user wouldnt hand the key over 2) It isnt in view with a link. (Hidden value in the form). Since i must have the token in the form (for the purpose of double submitted cookies) theres no way to hide it if it must be part of the html. Right now in my implementation i havent made it seen with a link.
acidzombie24
i'll give you a +1 bc i never thought about video capturing software or screenshots (but i imagine if a vid cap is installed a keylogger can be too). I'll revise my code to use a a session and a separate form-token
acidzombie24
I was thinking more that the user would be convinced to take a screenshot or someone looking over his shoulder could grab the session id if it's in the URL.
Longpoke