Menu
There are some discussing like this on SO claiming that csrf protection is not required for anonymous forms. Looking at the stackoverflow html code, when not logged in, you can see the csrf token being set for he answer box when posting as an anonymous user.
778
A CSRF token is a secure random token (e.g., synchronizer token or challenge token) that is used to prevent CSRF attacks. The token needs to be unique per user session and should be of large random value to make it difficult to guess. A CSRF secure application assigns a unique CSRF token for every user session.
If you are making requests with AJAX, you can place the CSRF token in the HTML page, and then add it to the request using the Csrf-Token header.
Applications can be developed to only accept POST requests for the execution of business logic. The misconception is that since the attacker cannot construct a malicious link, a CSRF attack cannot be executed.
Cross-site request forgery (CSRF, sometimes pronounced “sea surf” and not to be confused with cross-site scripting) is a simple yet invasive malicious exploit of a website. It involves a cyberattacker adding a button or link to a suspicious website that makes a request to another site you're authenticated on.
How does this csrf token help protecting an anonymous user?
The rule of thumb is that any state changing operation needs to be protected from CSRF attacks. So if your form is a state changing operation, it should be protected. For example, this answer describes why you need to use CSRF protection on a login form (remember that the user is anonymous when logging in). I've seen anonymous polling forms that you would also want to protect. In the case of the polling forms, the CSRF token is protecting the site's integrity (whatever integrity an anonymous polling site has).
On the other hand, some forms don't need CSRF protection. Obviously forms that are processed in JavaScript and never go to the server don't need CSRF protection. The same is true for forms that perform basic utilities such as language translation forms.
csrf token should be associated with a user session id. What's the equivalent used for an anonymous user? The ip address?
Most web frameworks have stateful sessions for anonymous users. For example, PHP uses the $_SESSION variable. They typically set a cookie in the user's browser to the session ID. You would use the stateful session to store the server-side copy of the CSRF token.
56
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
