[Owasp-csrfguard] OWASP CSRF Token Hijack Fix
causalbody at gmail.com
Thu Nov 9 22:18:30 UTC 2017
I am looking to incorporate OWASP CSRF 3.x into my webapp. I have some
generic questions, I hope you can help.
Firstly, thanks to you for all the existing documentation and code
contribution on this project.
I've posted this question to stackoverflow, basically trying to get some
insights on how the token hijacking could've been possible without the fix
I am imagining it might
be only through an existing XSS exploit, but not sure
Are there any obvious security flaws in storing the token value (perhaps in
an encrypted form) in a session cookie instead of http session. I want to
use a centralized
lookup for token, putting in session will make that tricky.
Please give me some directions here.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-csrfguard