[159674] in North American Network Operators' Group
Re: Suggestions for the future on your web site: (was cookies, and
daemon@ATHENA.MIT.EDU (Matt Palmer)
Thu Jan 17 17:39:10 2013
Date: Fri, 18 Jan 2013 09:38:53 +1100
From: Matt Palmer <mpalmer@hezmatt.org>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <50F70139.8050401@deaddrop.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
[Cookies on stat.ripe.net]
On Wed, Jan 16, 2013 at 11:36:25AM -0800, Shrdlu wrote:
> The cookie stays around for a YEAR (if I let it), and has the
> following stuff:
>
> Name: stat-csrftoken
> Content: 7f12a95b8e274ab940287407a14fc348
[...]
> To your credit, you only ask once, but you ought to ask zero times.
CSRF protection is one of the few valid uses of a cookie. It shouldn't need
to be set on every page, though, and it should be cleared immediately after
the form submission. It's typically a lot easier in the site code just to
set it once and be done with it.
By the way, if anyone *does* know of a good and reliable way to prevent CSRF
without the need for any cookies or persistent server-side session state,
I'd love to know how. Ten minutes with Google hasn't provided any useful
information.
- Matt
