|
From: | Nala Ginrut |
Subject: | Re: mailmam, web bridge, forum, p2p (was: Diversification) |
Date: | Thu, 24 Oct 2019 22:15:33 +0800 |
On Thu, Oct 24, 2019 at 8:30 PM pelzflorian (Florian Pelz) < address@hidden> wrote: > Because of login CSRF the Referer header should also be verified for > all links internal to the website (external links should strip the > Referer header via redirect pages similar to what the code attached to > this mail does). > > I do not know what Artanis does currently. I will check next week. > > The current Artanis will check both session token (from cookies) and the client IP. This method was blamed to be overkilled because some users may be in the same LAN with a unique external IP. But I think IPv6 will cover this world finally, so I think this would be the best way to go. Of course, there's no conflict to add extra verification token. Patches or proposals are welcome. ;-) Best regards.
[Prev in Thread] | Current Thread | [Next in Thread] |