ansaurus

Question

Prevent Cross-site request forgery - Never Rely on The SessionID Sent to Your Server in The Cookie Header

Answer 1

+3 A:

Yes, it is sufficient to prevent Cross Site Request Forgery.

The sessionid in the cookie cannot be trusted. Say a user is logged on to mysite.com and session id is in the cookie. Now the user clicks on a link to evilsite.com. evilsite.com has code like this

<img src="http://mysite.com/transfermoney.jsp?amount=1000.." />

The browser will make a request to mysite.com, and it will also send along the cookie with the session id. The thing to understand here is that evilsite.com cannot read the cookie, but it can still get its job done.

Browser same-origin policy prevents evilsite.com from reading the session identifier whether its in the cookie or embedded in html page. But because browser automatically sends the cookie to your server even if the resource was requested from the html code in another domain, you have XSRF.

To prevent this, it is recommended to put the session identifier as a request parameter. If its added as a request parameter, evilsite.com cannot access the identifier, and hence cannot put it in the img src attribute.

However, do remember that if your site has XSS vulnerabilities, nothing can prevent you from XSRF. Put it another way, if you have XSS vulnerabilities, an attacker wouldn't even care about doing XSRF.

sri 2010-04-05 17:23:36

@Sripathi: This is a very good answer to a very good question! The practical problem I see, is that people are used to "staying logged in", even if they close one browser window, or if they use other browser windows to visit the same site - they expect to be still logged in. So if my site doesn't provide that functionality (to counter CSRF attacks), I'm afraid that they will view my site as "low quality" - i.e. "why can other sites do that, but not yours?!" I can actually understand that attitude. Is there any way to combine both advantages, or to find a good compromise?

Chris Lercher 2010-04-05 19:40:45

It is possible. CSRF is mainly a problem with AJAX style APIS, where a single request is all that is needed to do something harmful. For such api requests, you shouldn't rely only on the long-lived-remember-me cookie. However, it is okay to render read-only pages using just the cookie - because the attacker can't read the content using just csrf.

sri 2010-04-06 01:08:04

@sri: I think, that's the best compromise. I'm still feeling a little bit unsure however, because I remember reading an article (http://directwebremoting.org/blog/joe/2007/03/05/json_is_not_as_safe_as_people_think_it_is.html) about a technique how to steal certain kinds of data from the reply of a CSRF, although it shouldn't really be possible. I hope, it's impossible to expand this beyond JavaScript results, because we can safely assume that it breaks with the first `<` character or so? If we can't, users would actually have to login for every browser tab separately...

Chris Lercher 2010-04-06 11:43:07

Jeff Atwood recommended using HttpOnly : http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html

Yan Cheng CHEOK 2010-04-07 17:55:57

ansaurus

tags:

views:

answers:

Prevent Cross-site request forgery - Never Rely on The SessionID Sent to Your Server in The Cookie Header

related questions