[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [GSoC] Development of Cuirass.
|
From: |
Mathieu Lirzin |
|
Subject: |
Re: [GSoC] Development of Cuirass. |
|
Date: |
Sun, 12 Mar 2017 19:41:12 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
Hello Florian,
"pelzflorian (Florian Pelz)" <address@hidden> writes:
> On 03/12/2017 03:49 PM, Mathieu Lirzin wrote:
>> Sensitive requests should be done with an
>> authentification mechanism which is not determined yet. I currently
>> have no experience with any and lack the knowledge to properly choose
>> one.
>
> I’m new to Guix and Scheme and no expert in Web programming, but in
> order to prevent CSRF and in order not to rely on JavaScript, the server
> should run with HTTPS (of course) and
> · use a secret session token and
> · send a customized Web page to the client adapted so that each link and
> form to the server includes the session token as a GET or POST parameter.
>
> An alternative is Basic Access Authentication with HTTPS or Cookies with
> HTTPS but they are vulnerable to CSRF.
>
> See stackoverflow, for example
>
> https://stackoverflow.com/questions/21357182/csrf-token-necessary-when-using-stateless-sessionless-authentication
Thanks for your input.
Have you any experience/advice regarding OAuth or Json Web Token (JWT) ?
--
Mathieu Lirzin
GPG: F2A3 8D7E EB2B 6640 5761 070D 0ADE E100 9460 4D37
- [GSoC] Development of Cuirass., Mathieu Lirzin, 2017/03/12
- Re: [GSoC] Development of Cuirass., Ludovic Courtès, 2017/03/13
- Re: [GSoC] Development of Cuirass., Andy Wingo, 2017/03/13
- Re: [GSoC] Development of Cuirass., Efraim Flashner, 2017/03/13
- Re: [GSoC] Development of Cuirass., Mathieu Lirzin, 2017/03/21