Yeah, cookie-based auth seems suuuper convenient, especially when you build a project that's something like a CMS based on a REST API and you don't want to send auth headers back and forth all the time.
But remember: as soon as you use cookies (or anything else the browser sends by itself automatically), you need to make sure that you know that your user initiated the request, or else you get XSRF issues.
And combined with JSONP, this is basically game-over. However, when the cookie-based auth is removed, I see no problems with JSONP (for the server; the one using the JSONP has to have trust in the server to not set malicious code).
Basic CSRF. If you don't know what CSRF is and how to protect against it, any website you make is probably going to be insecure. If you call yourself a web developer and don't know about CSRF, please, go learn it. I don't think I'd hire a web developer who couldn't tell me what CSRF is and how to prevent it. Even if your framework takes care of it for you, you still need to know what it is.
"If you don't know what CSRF is and how to protect against it, any website you make is probably going to be insecure"
A thousand times this.
I used to give a talk about basic web application security, and my favourite part of that talk was right after explaining CSRF when I'd point out that "... and if you don't have active protection in place against this attack, your app is vulnerable right now". You could almost see people's faces turning white in the audience.
This isn't great, but I do want to speak on behalf of Put.io. It really is an incredible service and I've always had great response time from them on customer service issues. I highly encourage anyone who isn't using it to give it a look.
xrstf|10 years ago
But remember: as soon as you use cookies (or anything else the browser sends by itself automatically), you need to make sure that you know that your user initiated the request, or else you get XSRF issues.
And combined with JSONP, this is basically game-over. However, when the cookie-based auth is removed, I see no problems with JSONP (for the server; the one using the JSONP has to have trust in the server to not set malicious code).
mike-cardwell|10 years ago
simonw|10 years ago
A thousand times this.
I used to give a talk about basic web application security, and my favourite part of that talk was right after explaining CSRF when I'd point out that "... and if you don't have active protection in place against this attack, your app is vulnerable right now". You could almost see people's faces turning white in the audience.
toufka|10 years ago
[1]https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%...
wdewind|10 years ago
Sir_Cmpwn|10 years ago
simonw|10 years ago
unknown|10 years ago
[deleted]