Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Isn't CSRF a browser security issue?

Tags:

browser

security

csrf

Regarding cross-site request forgery (CSRF) attacks, if cookies are most used authentication method, why do web browsers allow sending cookies of some domain (and to that domain) from a page generated from another domain?

Isn't CSRF easily preventable in browser by disallowing such behavior?

As far as I know, this kind of security check isn't implemented in web browsers, but I don't understand why. Did I get something wrong?

About CSRF:

  • On wikipedia
  • On coding horror

Edit: I think that cookies should not be sent on http POST in the above case. That's the browser behavior that surprises me.

like image 256
Kresimir Cosic Avatar asked Oct 22 '08 00:10

Kresimir Cosic

2 Answers

Why wouldn't the browser send cookies?

Site A (http://www.sitea.com) sets a cookie for the user.

User navigates to site B (http://www.siteb.com). Site B features integration with site A - click here to do something on site A! The users clicks "here".

As far as the browser can tell, the user is making a conscious decision to make a request to site A, so it handles it the same way it would handle any request to site A, and that includes sending site A cookies in the request to site A.

Edit: I think the main issue here is that you think there is a distinction between authentication cookies and other cookies. Cookies can be used to store anything - user preferences, your last high score, or a session token. The browser has no idea what each cookie is used for. I want my cookies to always be available to the site that set them, and I want the site to make sure that it takes the necessary precautions.

Or are you saying that if you search yahoo for "gmail", and then click on the link that takes you to http://mail.google.com, you shouldn't be logged in, even if you told gmail to keep you logged in, because you clicked on the link from another site?

like image 144
Chris Marasti-Georg Avatar answered Sep 18 '22 09:09

Chris Marasti-Georg

It isn't that a browser is sending the cookie to or from an outside domain, it's the fact that you're authenticated and the site isn't validating the source of the request, so it treats it as if the request came from the site.

As far as whether a browser should disallow that... what about the many situations where cross-site requests are desirable?

Edit: to be clear, your cookie is not sent across domains.

like image 35
eyelidlessness Avatar answered Sep 19 '22 09:09

eyelidlessness
Sign in to Comment

Related questions

Generate base64 url-encoded X.509 format 2048-bit RSA public key with Swift?
Why is Docker Secrets more secure than environment variables?
SSL: How are certificates protected against man in the middle attacks?
MySQL Injection - Use SELECT query to UPDATE/DELETE
Elastic Beanstalk security patches
Preventing NoSQL injections with Elasticsearch
Auto update: Is this secure?
ASP.NET MVC - ValidateAntiForgeryToken expiring
WCF Net.tcp with sspi fails unless client and server using same windows Identity
Translating C# RSACryptoServiceProvider into JAVA Code
How can you prevent bogus high scores from appearing on a global high score list?
Understanding the Wordpress vulnerability
Security concerns with a Python PAM module?
Is there a tool to generate SDDL (Security Descriptor Definition Language) strings?
Any security issues adding a strong name key to source control for an open source project?
Customize auth error from Spring Security using OAuth2
How is PHP's mt_rand seeded?
Make PHPmailer a "more secure app" for Gmail
How to sanitize and validate user input to pass a Checkmarx scan
Authentication (Passport) enough for security with Node js backend server?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!