I ve just setup a simple CSRF protection in my application. It creates a unique crumb which are validated against a session value upon submitting a form.
Unfortunately this means now that I can t keep multiple instances (tabs in the browser) of my application open simultaneously as the CSRF crumbs collide with each other.
Should I create an individual token for each actual form or use a mutual, shared crumb for all my forms? What are common sense here?
You can do either. It depends on the level of security you want.
OWASP 企业安全预报(ESAPI)采用每用户会议使用的单一标语。 这可能是一种非常有效的方法,假设你没有特别安全局的漏洞,而且你有很短的时间。 如果你允许开庭时间或数周,那就不是好的做法。
在个人方面,我并不认为很难对每一种形式使用不同的标识。 我在用户会议中储存一个结构,配有关键数值。 每个项目的钥匙是表格的识别,其价值是另一个含有标注和标注日期的结构。 典型的情况是,我只允许象征性地生活10至20分钟,然后到期。 对于更长的形式,我可以给它很长的时间。
If you want to be able to support the same form in multiple browser tabs in the same session, then my method becomes a little trickery but could still be easily done by having unique form IDs.
OWASP Cheat Sheet对这一类物品拥有最明确的答案。 报告讨论了不同的办法,并兼顾安全与可使用性。
简言之,他们建议举行每届(浏览器)会议。 换言之,就你的情况而言,在表格中也有同样的标语。 日表还强调,重要的是不要把网站暴露在描述弱点的交叉点上,因为这样会破坏欧研中心每届会议的战略。
For security reasons, it is desirable to check the integrity of code before execution, avoiding tampered software by an attacker. So, my question is How to sign executable code and run only trusted ...
I run findbugs against all of my code and only tackle the top stuff. I finally got the top stuff resolved and now am looking at the details. I have a simple entity, say a user: public class User ...
Anyone know if jsbin.com implements any protection for XSS or other javascript attacks? I see jsbin links used fairly regularly on sites like this one and I can t find any indication from the site ...
Im making a website that will intergrate with game that only support md5 hashing metod (atm). Which ofc is not especially safe anymore. But how could i make it stronger? Should I just generate long ...
I am trying to find out the difference between difference service account types. I tumbled upon this question. The answer was because it has powerful access to local resources, and Network Service ...
I am trying to write a script to prevent brute-force login attempts in a website I m building. The logic goes something like this: User sends login information. Check if username and password is ...
Three SHA512Managed related questions: Is SHA512Managed considered the best one-way hash available in .NET 3.5 for security? What Salt size should be used with SHA512Managed? The application is for ...
[Update] - I attach also full config files, for service, and for client (outside of here, not to flood the topic) I m having situation pretty much identical to the one outlined in this question, ...
