@avlidienbrunn @antisnatchor @homakov What about a unique token per session if the session is limited? (idle/absolute timeout)
-
-
-
@manicode@antisnatchor@homakov works in most cases. Misses race conditions and tokens leaking after being used. Easier to do it right imo -
@avlidienbrunn@antisnatchor@homakov Tokens leaking, ever, is a serious defense flaw. I don't get how per request tokens help much. -
@manicode@antisnatchor@homakov (per request scenario): if token leaks *after* being used then the leaked token is useless. -
@manicode@antisnatchor@homakov (per action scenario): if token leaks for "search" action, it can't be used to CSRF "transfer money" action -
-
New conversation -
-
-
@avlidienbrunn@antisnatchor@homakov In the face of XSS, CSRF protection is useless.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.