Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Quote:
The web has changed a lot since CSRF was a “big thing”, and tactics
used with CSRF attacks are becoming outdated.I personally don’t protect against CSRF, mainly because I don’t use
blatantly insecure methods of authentication.
Does he make any sense?
Please provide me with some arguments If I am correct, why this guy is being (stubborn?) or not thinking clearly as I am trying to make a point, but I am actually not hundred about to how to express it…
There is no sense in the quoted argument as-is, but presumably there is some other context we are missing.
It is unclear what form of authentication your colleague is proposing that would be ‘not blatantly insecure’, free from CSRF issues.
There are some possibilities, for example in a fully AJAX-driven app you might be passing in an auth token as an input parameter instead of relying on a session. In that case you wouldn’t need an additional anti-CSRF measure as the auth token would already be a secret unavailable to attackers.
But CSRF in general has not gone away; browsers have not grown magic features to stop it happening. For the typical model of webapp that uses a browser-persistent authentication model (cookies, HTTP Authentication), you definitely still need to address it in some way.