tags:

views:

49

answers:

3
+2  Q: 

Is using GET with a tokenID for security a good idea?

I was thinking about this and it appears POST only a little less vulnerable and somewhat harder (do to requiring the user to click something).

I read about token ids and double submitted cookies and i am not sure what the difference is

http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Disclosure_of_Token_in_URL http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Double_Submit_Cookies

Right now i have the user id (PK in my table) and a session id so you cant simply change your cookie ID and act like someone else. Now it seems like i put the session id as a token in each of my forms and check them bc attackers cant guess these tokens. However i dislike the idea of putting the session id into the page for ppl to see. But really, is there a problem with that? short of having the user copy/pasting the html is there any attacks that can happen due to the session id being in plain view in html?

A: 

The session-ID is known on client side anyway. How else would they send it with the requests?

Thomas Lötzer  2010-02-11 08:32:58
A: 

Yes it is fine to have the token id in plain view. You can have it work just as well by using HttpOnlyCookies

acidzombie24  2010-03-01 11:59:17
complete nonsense
Longpoke  2010-05-20 23:08:29
+1  A: 

If the user can copy a link with a token in it, this is very insecure. Likewise for the current address: if you use a static session ID, a referral to an outside site or a screenshot will render the session compromised. Even if you don't have a static session ID, the user can put his mouse over a link and it will show in the bottom of his browser, and then take a screenshot, once again rendering his session compromised.

Longpoke  2010-05-20 23:07:21
You have a point with the screenshot but i was assuming 1) The user wouldnt hand the key over 2) It isnt in view with a link. (Hidden value in the form). Since i must have the token in the form (for the purpose of double submitted cookies) theres no way to hide it if it must be part of the html. Right now in my implementation i havent made it seen with a link.
acidzombie24  2010-05-21 00:57:20
i'll give you a +1 bc i never thought about video capturing software or screenshots (but i imagine if a vid cap is installed a keylogger can be too). I'll revise my code to use a a session and a separate form-token
acidzombie24  2010-05-21 00:59:20
I was thinking more that the user would be convinced to take a screenshot or someone looking over his shoulder could grab the session id if it's in the URL.
Longpoke  2010-05-21 01:04:04

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?