[Owasp-csrfguard] OWASP CSRF Token Hijack Fix

Sriram Krishnan causalbody at gmail.com
Thu Nov 9 22:18:30 UTC 2017

I am looking to incorporate OWASP CSRF 3.x into my webapp. I have some
generic questions, I hope you can help.
Firstly, thanks to you for all the existing documentation and code
contribution on this project.

Question 1
I've posted this question to stackoverflow, basically trying to get some
insights on how the token hijacking could've been possible without the fix
I am imagining it might
be only through an existing XSS exploit, but not sure


Question 2
Are there any obvious security flaws in storing the token value (perhaps in
an encrypted form) in a session cookie instead of http session. I want to
use a centralized
lookup for token, putting in session will make that tricky.

Please give me some directions here.

Sriram K
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20171109/3353d61b/attachment.html>

More information about the Owasp-csrfguard mailing list