Re: mailmam, web bridge, forum, p2p

guile-user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mailmam, web bridge, forum, p2p

From:	tomas
Subject:	Re: mailmam, web bridge, forum, p2p
Date:	Sat, 26 Oct 2019 13:31:16 +0200
User-agent:	Mutt/1.5.21 (2010-09-15)

On Sat, Oct 26, 2019 at 11:35:06AM +0200, pelzflorian (Florian Pelz) wrote:
> On Sat, Oct 26, 2019 at 12:31:34AM -0400, Mike Gerwitz wrote:
> > On Fri, Oct 25, 2019 at 08:08:45 +0200, pelzflorian (Florian Pelz) wrote:
> > > So you would use both a cookie to retain login state and then only for
> > > sensitive requests additionally use nonces to prevent CSRF.  Would you
> > > use POST for all (sensitive) requests after login?
> > 
> > GET requests are supposed to retrieve information, not modify it, and
> > should be indempotent.  Since they should have no meaningful
> > side-effects, CSRF shouldn't have any meaningful action to
> > exploit.
> 
> You are right.  That makes sense.  We need not abstain from cookies
> and with cookies we can have GET requests retain session state and
> then for anything sensitive use a nonce, whether GET or POST,
> i.e. write code for links to include a nonce and verify nonces.
> Thank you!

You can still have session state in the URL and keep GET idempotent
(there might be other reasons to use cookies, though: I've yet to be
convinced ;-)

Cheers
-- tomás

signature.asc
Description: Digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

Re: mailmam, web bridge, forum, p2p, (continued)

Prev by Date: Re: Diversification [ branched from Re: conflicts in the gnu project now affect guile]
Next by Date: Re: mailmam, web bridge, forum, p2p (was: Diversification)
Previous by thread: Re: mailmam, web bridge, forum, p2p
Next by thread: Re: mailmam, web bridge, forum, p2p (was: Diversification)
Index(es):
- Date
- Thread