@homakov better than allowing same CSRF "nonce" to be used multiple times
-
-
Replying to @avlidienbrunn
@avlidienbrunn@antisnatchor@homakov What about a unique token per session if the session is limited? (idle/absolute timeout)2 replies 0 retweets 0 likes -
Replying to @manicode
@manicode@antisnatchor@homakov works in most cases. Misses race conditions and tokens leaking after being used. Easier to do it right imo1 reply 1 retweet 1 like -
Replying to @avlidienbrunn
@avlidienbrunn@antisnatchor@homakov Tokens leaking, ever, is a serious defense flaw. I don't get how per request tokens help much.2 replies 0 retweets 0 likes -
Replying to @manicode
@manicode@antisnatchor@homakov (per request scenario): if token leaks *after* being used then the leaked token is useless.1 reply 1 retweet 2 likes -
Replying to @avlidienbrunn
@manicode@antisnatchor@homakov (per action scenario): if token leaks for "search" action, it can't be used to CSRF "transfer money" action2 replies 2 retweets 2 likes -
Replying to @avlidienbrunn
@manicode@homakov and as mentioned; nonces protect against race condition bugs (shouldn't be CSRF protections duty, but it's a nice bonus).1 reply 1 retweet 2 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.