I set a cookie in the headers with an md5 hashed keyword. Then in my code, it checks for the exact matching cookie before displaying a form. Is this pretty much pointless? The form submits to an external site, so I am trying to secure the form without using captcha..
A:
If you send the cookie at the same time as you print the form it will always return true, unless they have cookies turned off.
What the cookie check is used for is cross site request forgery prevention. In other words, stop people from submitting forms from external sites :)
So what you have described there, doesn't do anything
Thomas Winsnes
2010-05-18 15:56:15
-1 cookies cannot defended against CSRF. The whole point of csrf is riding on the session and the cookie value will be included with the forged GET or POST query.
Rook
2010-05-18 16:16:44
@the rook, sorry I didn't explain myself properlyWhen you do a CSRF check, you put a md5hash in a cookie and in a hidden field in the form and then check that they match.You do the check when you process the post information.
Thomas Winsnes
2010-05-19 02:21:39
I removed the -1 becuase that would stop it. although md5 is a inefficient method of making a random number and it still comes down to what you are taking md5() of, if its a value known to the attacker then it doesn't matter. It would also be better to store the token in a session variable instead of a cookie.
Rook
2010-05-19 07:31:13
using a session or a cookie, which you use doesn't matter. The reason for this is that the attacker in csrf isn't a person, it is a website. This website will be under a different domain so the browser will prevent the attacker from knowing the md5hash (which of course is generated on every load on the form), since a cookie will only be sent to the domain it originated from. ps. don't care much about the -1, just like discussing things :P
Thomas Winsnes
2010-05-19 15:43:25
+1
A:
CSRF is only a problem if the request is valuable to the attacker. For instance, if can an attacker can get a logged in administrator to change their password using CSRF, then you have a serious problem. No one gives a fuck about lyrics, or search requests or page navigation. No one will ever exploit that, so it doesn't matter where the request comes from.
Rook
2010-05-18 16:18:33