Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am reading the tutorial at
http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ
It states
Remember – you must never rely on the
sessionID sent to your server in the
cookie header ; look only at the
sessionID that your GWT app sends
explicitly in the payload of messages
to your server.
Is it use to prevent http://en.wikipedia.org/wiki/Cross-site_request_forgery#Example_and_characteristics
With this mythology, is it sufficient enough to prevent to above attack?
Yes, it is sufficient to prevent Cross Site Request Forgery.
The sessionid in the cookie cannot be trusted. Say a user is logged on to mysite.com and session id is in the cookie. Now the user clicks on a link to evilsite.com. evilsite.com has code like this
The browser will make a request to mysite.com, and it will also send along the cookie with the session id. The thing to understand here is that evilsite.com cannot read the cookie, but it can still get its job done.
Browser same-origin policy prevents evilsite.com from reading the session identifier whether its in the cookie or embedded in html page. But because browser automatically sends the cookie to your server even if the resource was requested from the html code in another domain, you have XSRF.
To prevent this, it is recommended to put the session identifier as a request parameter. If its added as a request parameter, evilsite.com cannot access the identifier, and hence cannot put it in the img src attribute.
However, do remember that if your site has XSS vulnerabilities, nothing can prevent you from XSRF. Put it another way, if you have XSS vulnerabilities, an attacker wouldn’t even care about doing XSRF.