On Mon, Jun 15, 2009 at 4:49 PM, Mike Wilson
<mikewse@...> wrote:
...
I was thinking that maybe
this cookie could also be used for your suggestion on the new CSRF protection
mechanism, but I made some tests and at least IE (surprise) seems to do no
locking and be very liberal about changing cookie values under your feet
when you work with the same cookie in multiple windows. So this would need some
more work.
Absolutely.
I revised the scheme to avoid this:
1: Read the anti-csrf-cookie
2: If empty, generate a new random password and place in the cookie
3: Place the value in an anti-csrf header
4: Post request
I don't think the value needs to change, just to be unpredictable.
I've spoken to John Resig and Dylan about it, and they're both of the opinion that if we could make the alg. small enough then they might consider using it by default. Otherwise it would need to be a plugin.
But I've not had time to hack on it much recently.
Joe.
