|
|
@@ -324,7 +324,7 @@ This lets the expected CSRF token outlive the session.
|
|
|
+
|
|
|
One might ask why the expected CSRF token is not stored in a cookie by default.
|
|
|
This is because there are known exploits in which headers (for example, to specify the cookies) can be set by another domain.
|
|
|
-This is the same reason Ruby on Rails https://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails/[no longer skips a CSRF checks when the header X-Requested-With is present].
|
|
|
+This is the same reason Ruby on Rails https://rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails[no longer skips a CSRF checks when the header X-Requested-With is present].
|
|
|
See https://web.archive.org/web/20210221120355/https://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html[this webappsec.org thread] for details on how to perform the exploit.
|
|
|
Another disadvantage is that by removing the state (that is, the timeout), you lose the ability to forcibly invalidate the token if it is compromised.
|
|
|
|
Konstantin Filtschew