[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: mailmam, web bridge, forum, p2p
From: |
tomas |
Subject: |
Re: mailmam, web bridge, forum, p2p |
Date: |
Sat, 26 Oct 2019 13:31:16 +0200 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Sat, Oct 26, 2019 at 11:35:06AM +0200, pelzflorian (Florian Pelz) wrote:
> On Sat, Oct 26, 2019 at 12:31:34AM -0400, Mike Gerwitz wrote:
> > On Fri, Oct 25, 2019 at 08:08:45 +0200, pelzflorian (Florian Pelz) wrote:
> > > So you would use both a cookie to retain login state and then only for
> > > sensitive requests additionally use nonces to prevent CSRF. Would you
> > > use POST for all (sensitive) requests after login?
> >
> > GET requests are supposed to retrieve information, not modify it, and
> > should be indempotent. Since they should have no meaningful
> > side-effects, CSRF shouldn't have any meaningful action to
> > exploit.
>
> You are right. That makes sense. We need not abstain from cookies
> and with cookies we can have GET requests retain session state and
> then for anything sensitive use a nonce, whether GET or POST,
> i.e. write code for links to include a nonce and verify nonces.
> Thank you!
You can still have session state in the URL and keep GET idempotent
(there might be other reasons to use cookies, though: I've yet to be
convinced ;-)
Cheers
-- tomás
signature.asc
Description: Digital signature
- Re: mailmam, web bridge, forum, p2p, (continued)
- Re: mailmam, web bridge, forum, p2p, Mike Gerwitz, 2019/10/27
- Re: mailmam, web bridge, forum, p2p, Mike Gerwitz, 2019/10/27
- Re: mailmam, web bridge, forum, p2p, tomas, 2019/10/27
- Re: mailmam, web bridge, forum, p2p, tomas, 2019/10/27
- Re: mailmam, web bridge, forum, p2p, Keith Wright, 2019/10/27
- Re: mailmam, web bridge, forum, p2p, Zelphir Kaltstahl, 2019/10/27
- Re: mailmam, web bridge, forum, p2p (was: Diversification), pelzflorian (Florian Pelz), 2019/10/25
- Re: mailmam, web bridge, forum, p2p (was: Diversification), Nala Ginrut, 2019/10/25
- Re: mailmam, web bridge, forum, p2p, Mike Gerwitz, 2019/10/26
- Re: mailmam, web bridge, forum, p2p, pelzflorian (Florian Pelz), 2019/10/26
- Re: mailmam, web bridge, forum, p2p,
tomas <=
- Re: mailmam, web bridge, forum, p2p (was: Diversification), tomas, 2019/10/24
- Re: mailmam, web bridge, forum, p2p (was: Diversification), Nala Ginrut, 2019/10/24
- Re: mailmam, web bridge, forum, p2p (was: Diversification), tomas, 2019/10/24
- Re: mailmam, web bridge, forum, p2p (was: Diversification), Zelphir Kaltstahl, 2019/10/24
- Re: mailmam, web bridge, forum, p2p (was: Diversification), tomas, 2019/10/26
- Re: mailmam, web bridge, forum, p2p (was: Diversification), pelzflorian (Florian Pelz), 2019/10/26
- Re: mailmam, web bridge, forum, p2p (was: Diversification), tomas, 2019/10/26
- Re: mailmam, web bridge, forum, p2p (was: Diversification), Mikael Djurfeldt, 2019/10/25
- Re: mailmam, web bridge, forum, p2p (was: Diversification), Nala Ginrut, 2019/10/25
- mailman web interface (was: Diversification), pelzflorian (Florian Pelz), 2019/10/28