Does anyone see any downsides of doing the following to prevent CSRF?
Posted
by Spines
on Stack Overflow
See other posts from Stack Overflow
or by Spines
Published on 2010-03-23T22:11:27Z
Indexed on
2010/03/23
22:23 UTC
Read the original article
Hit count: 239
I'm wondering if the following method will completely prevent CSRF, and be compatible with all users.
Here it is:
In the form just include an extra parameter that is: encrypted(user's userID + request time)
. Server-side just decrypt and make sure it's the right userID and the request time was reasonably recent.
Aside from someone sniffing the user's traffic, is this completely secure? Are there any downsides?
© Stack Overflow or respective owner