[OWASP_PHPSEC] CSRF Protection

Azeddine Islam Mennouchi azeddine.mennouchi at owasp.org
Sat Jul 20 23:29:11 UTC 2013


I Think that in the jframework there is a per-page token
I suggest as a plus a per-session Token to over come some user behavior
(like opening two tabs for the same form .. etc)

Regards Islam,


On Sat, Jul 20, 2013 at 1:17 AM, Abbas Naderi <abiusx at owasp.org> wrote:

> Hello Folks,
> I was thinking of CSRF protection methods, and realize its infeasible
> unless we provide some widget library. There's one such thing named jWidget
> in the core of jframework project, and is still in beta, but is based on
> security.
> Please take a peek at it, and provide these three points:
> 1. Do you know any other means of protecting against CSRF, instead of this
> approach ? (The jCSRF implementation provided in a paper by R. Sekar from
> Stony Brook, is one such thing. Abhishek plz study it and see if its a good
> idea for us to implement this instead of the widget library)
> 2. How can we abstract jWidget, to make more of a flexible library than a
> toolset?
> 3. If you can extract the ideas inside jWidget, and make a library based
> on them, how so?
>
> @Andrew, I'm really looking forward to your professional feedback on this
> as well.
> Thanks
> -Abbas
> ______________________________________________________________
> *Notice:** *This message is *digitally signed*, its *source* and *
> integrity* are verifiable.
> If you mail client does not support S/MIME verification, it will display a
> file (smime.p7s), which includes the X.509 certificate and the signature
> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
> AbiusX.com
>
>
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>
>


-- 
Islam Azeddine Mennouchi
Consultant at ITS
http://www.novasup.com/
OWASP ALGERIA Chapter Leader
phone n°: +213796314102
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130721/c9af94c8/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list