Jump to content

preventing CSRF with ajax logins (double cookie submit?) help plz!


alexweber15

Recommended Posts

read a lot about this but i just dont seem to be getting it...

 

im not sure what the problem is...

 

ok so instead of normally posting a form, i use javascript to post it... same thing right?

the problem afaik is with the ajax reply, which is usually in json/xml (basically, plaintext) and which could be intercepted...

 

ive read about:

 

- sending a salt before the content for encryption

- sending session id along with data

- encrypting multiple times

 

this all seems a bit twilight zone...

 

can anyone please explain where exactly the problem is and recommend 1 or 2 good solutions please?

 

thanks! :)

Link to comment
Share on other sites

Google.

 

I read this article and learned a fair bit, specifically: Prevention section.

http://en.wikipedia.org/wiki/Cross-site_request_forgery

 

edit: There is no "best" solution.  this is more of a client problem that you can help prevent / double check.  Just try to cover your bases as best you can.  Have other coders test your stuff  (like in the section on this forum) and they'll tell you what's up.  Plenty of sites out there willing to check your security.

Link to comment
Share on other sites

Google.

 

I read this article and learned a fair bit, specifically: Prevention section.

http://en.wikipedia.org/wiki/Cross-site_request_forgery

 

edit: There is no "best" solution.  this is more of a client problem that you can help prevent / double check.  Just try to cover your bases as best you can.  Have other coders test your stuff  (like in the section on this forum) and they'll tell you what's up.  Plenty of sites out there willing to check your security.

 

thanks!

i actually did google the subject extensively but haven't gotten around to reading all the articles i bookmarked...

 

but its a pretty solid idea to get codes on the forums and elsewhere to try and find vulnerabilities as i go along! :)

 

i still dont get the part about cookies though...  ??? :'(

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.