StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POHow to prevent CSRF in a RESTful application?
primarykey
Id
2392100
data
AcceptedAnswerId
32700235
AnswerCount
6
ClosedDate
CommentCount
2
CommunityOwnedDate
CreationDate
2010-03-06T10:02:49.173
FavoriteCount
26
LastActivityDate
2017-07-12T04:14:37.663
LastEditDate
2013-06-27T14:30:28.740
LastEditorUserId
238134
OwnerUserId
238134
ParentId
0
PostTypeId
1
Score
68
ViewCount
51263
LastEditorDisplayName
text
Body
<p>Cross Site Request Forgery (CSRF) is typically prevent with one of the following methods:</p> <ul> <li>Check referer - RESTful but unreliable</li> <li>insert token into form and store the token in the server session - not really RESTful</li> <li>cryptic one time URIs - not RESTful for the same reason as tokens</li> <li>send password manually for this request (not the cached password used with HTTP auth) - RESTful but not convenient</li> </ul> <p>My idea is to use a user secret, a cryptic but static form id and JavaScript to generate tokens. </p> <pre><code><form method="POST" action="/someresource" id="7099879082361234103"> <input type="hidden" name="token" value="generateToken(...)"> ... </form> </code></pre> <ol> <li><code>GET /usersecret/john_doe</code> fetched by the JavaScript from the authenticated user.</li> <li>Response: <code>OK 89070135420357234586534346</code> This secret is conceptionally static, but can be changed every day/hour ... to improve security. This is the only confidential thing.</li> <li>Read the cryptic (but static for all users!) form id with JavaScript, process it together with the user secret: <code>generateToken(7099879082361234103, 89070135420357234586534346)</code></li> <li>Send the form along with the generated token to the server.</li> <li>Since the server knows the user secret and the form id, it is possible to run the same generateToken function as the client did before sending and compare both results. Only when both values are equal the action will be authorized.</li> </ol> <p>Is something wrong with this approach, despite the fact that it doesn't work without JavaScript?</p> <p><strong>Addendum:</strong></p> <ul> <li><a href="http://appsandsecurity.blogspot.de/2012/01/stateless-csrf-protection.html" rel="noreferrer">Stateless CSRF Protection</a></li> </ul>
Tags
<security><http><rest><authorization><csrf>
Title
How to prevent CSRF in a RESTful application?
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USdeamon
UserOwnerUserId
1. USdeamon
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. PL
  singulars
  LinkTypeLinkTypeId
  LTLinked
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
  singulars
  PostTypePostTypeId
  PTAnswer
2. PO
  singulars
  PostTypePostTypeId
  PTAnswer
3. PO
  singulars
  PostTypePostTypeId
  PTAnswer
VotesPostIdCreationDate
1. VO
  singulars
  PostPostId
  POHow to prevent CSRF in a RESTful application?
  UserUserId
  USFelix Kling
  VoteTypeVoteTypeId
  VTFavorite
2. VO
  singulars
  PostPostId
  POHow to prevent CSRF in a RESTful application?
  UserUserId
  USMike
  VoteTypeVoteTypeId
  VTFavorite
3. VO
  singulars
  PostPostId
  POHow to prevent CSRF in a RESTful application?
  UserUserId
  This table or related slice is empty.
  VoteTypeVoteTypeId
  VTUpMod
CommentsPostId
1. COYour usersecret isn't unique to the user, an attacker simply needs to get that number and adjust their scripts to use the new calculation. How are you authenticating users if you have no state at all?
  singulars
  PostPostId
  POHow to prevent CSRF in a RESTful application?
  UserUserId
  USMike
2. COThe user secret is unique per user and can only be retrieved after authentication (HTTP basic or digest authentication or certificate authentication)
  singulars
  PostPostId
  POHow to prevent CSRF in a RESTful application?
  UserUserId
  USdeamon

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.