[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: tor weather subscription problem



On 01/02/2011 07:40, Scott Bennett wrote:

>      I just tried to sign up for the "tor weather" email service.  Clicking
> on the subscribe button after entering the information requested in various
> places earlier on the page yielded,
> 
> Forbidden (403)
> 
> CSRF verification failed. Request aborted.
> 
> You are seeing this message because this HTTPS site requires a 'Referer header' to be sent
> by your web browser, but none was sent. This header is required for security reasons, to 
> ensure that your browser is not being hijacked by third parties.
> 
> If you have configured your browser to disable 'Referer' headers, please re-enable them, at
> least for this site, or for HTTPS connections, or for 'same-origin' requests.
> 
> More information is available with DEBUG=True.

As a web developer who has discovered and defended against CSRF in the
past, I feel I should express my opinion here. You should only use HTTP
referrers to prevent CSRF as a quick fix whilst a proper system is put
in place. A better way would be to embed a session ID in the form, pass
it in the POST data, and then compare it against the session id on the
server side.

-- 
Mike Cardwell https://grepular.com/  https://twitter.com/mickeyc
Professional  http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu   0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F

Attachment: signature.asc
Description: OpenPGP digital signature