preventing CSRF with ajax logins (double cookie submit?) help plz!

[alexweber15]

read a lot about this but i just dont seem to be getting it...

 

im not sure what the problem is...

 

ok so instead of normally posting a form, i use javascript to post it... same thing right?

the problem afaik is with the ajax reply, which is usually in json/xml (basically, plaintext) and which could be intercepted...

 

ive read about:

 

- sending a salt before the content for encryption

- sending session id along with data

- encrypting multiple times

 

this all seems a bit twilight zone...

 

can anyone please explain where exactly the problem is and recommend 1 or 2 good solutions please?

 

thanks!

[xtopolis]

Google.

 

I read this article and learned a fair bit, specifically: Prevention section.

http://en.wikipedia.org/wiki/Cross-site_request_forgery

 

edit: There is no "best" solution.  this is more of a client problem that you can help prevent / double check.  Just try to cover your bases as best you can.  Have other coders test your stuff  (like in the section on this forum) and they'll tell you what's up.  Plenty of sites out there willing to check your security.

[alexweber15]

Google.

 

I read this article and learned a fair bit, specifically: Prevention section.

http://en.wikipedia.org/wiki/Cross-site_request_forgery

 

edit: There is no "best" solution.  this is more of a client problem that you can help prevent / double check.  Just try to cover your bases as best you can.  Have other coders test your stuff  (like in the section on this forum) and they'll tell you what's up.  Plenty of sites out there willing to check your security.

 

thanks!

i actually did google the subject extensively but haven't gotten around to reading all the articles i bookmarked...

 

but its a pretty solid idea to get codes on the forums and elsewhere to try and find vulnerabilities as i go along!

 

i still dont get the part about cookies though...  ??? :'(