mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-06-29 15:22:15 +00:00
Fixed link to CSRF checks
This commit is contained in:
Konstantin Filtschew
Rob Winch
parent
401f836051
commit
e4a2ac27d6
@ -324,7 +324,7 @@ This lets the expected CSRF token outlive the session.
|
|||||||
+
|
+
|
||||||
One might ask why the expected CSRF token is not stored in a cookie by default.
|
One might ask why the expected CSRF token is not stored in a cookie by default.
|
||||||
This is because there are known exploits in which headers (for example, to specify the cookies) can be set by another domain.
|
This is because there are known exploits in which headers (for example, to specify the cookies) can be set by another domain.
|
||||||
This is the same reason Ruby on Rails https://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails/[no longer skips a CSRF checks when the header X-Requested-With is present].
|
This is the same reason Ruby on Rails https://rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails[no longer skips a CSRF checks when the header X-Requested-With is present].
|
||||||
See https://web.archive.org/web/20210221120355/https://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html[this webappsec.org thread] for details on how to perform the exploit.
|
See https://web.archive.org/web/20210221120355/https://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html[this webappsec.org thread] for details on how to perform the exploit.
|
||||||
Another disadvantage is that by removing the state (that is, the timeout), you lose the ability to forcibly invalidate the token if it is compromised.
|
Another disadvantage is that by removing the state (that is, the timeout), you lose the ability to forcibly invalidate the token if it is compromised.
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user