On 2016-09-29 1:00 PM, Brian Wolff wrote:
Personally, my preferred solution [0] [I might be
biased in evaluating
them] would be to base the CSRF token on a session cookie if one
exists. If one does not exist, use a HMAC of the users IP addressed,
keyed using a server side secret (The only state an Anon has is what
IP address it is, so this should be safe). This way it will work for
users without cookies (Maybe none exist, but I like the idea you can
edit wikipedia without cookies) and for users who have rapidly
changing IPs. It will also have minimal breakage, as you won't have to
adjust any existing usages of tokens (For example, on special pages).
Users with a
rapidly changing IP will get an invalid csrf warning page
before they get the session cookie they need in order to edit.
Krinkle's suggestion of having JS initiate the POST after fetching the
edit token and initiating the session was an ingenious method of
eliminating that notice for those users.
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [
http://danielfriesen.name/]