[OWASP-GUIDE] White paper: Authentication and Session Management on the Web

Chris Shiflett chris at shiflett.org
Fri Feb 11 01:36:26 EST 2005

--- Paul Johnston <paul at westpoint.ltd.uk> wrote:
> Yes, the URL I sent is permanent.

I'll provide a link to this on the next update.

> I did mention the random auth token for forms, although it doesn't get
> a lot of space. In the paper what I propose is "generate a random
> token when a form is retrieved, and check it matches when the form is
> submitted". This does work fine, but I think it's actually more than
> you really need. There's no reason for the auth token to be different
> for each form. In the last web app I developed, I allocate an auth
> token at login time, at the same time as the SID. This is included as
> a hidden field on all forms, and all form submissions check it.

You're right. I think another token in this case is redundant (not even
worthy of being considered defense in depth), but only because your
session mechanism is so strong - e.g., this auth token you speak of is
exactly the same safeguard as far as CSRF protection goes. I like your
approach better, however, because of the other benefits (session hijacking
is much more difficult, etc.).

By the way, I didn't mean to suggest that you didn't say this anywhere. I
haven't had a chance to read your document very thoroughly yet.


More information about the Owasp-guide mailing list