Does anyone see any downsides of doing the following to prevent CSRF?

Posted by Spines on Stack Overflow See other posts from Stack Overflow or by Spines
Published on 2010-03-23T22:11:27Z Indexed on 2010/03/23 22:23 UTC
Read the original article Hit count: 230

Filed under:
|

I'm wondering if the following method will completely prevent CSRF, and be compatible with all users.

Here it is:

In the form just include an extra parameter that is: encrypted(user's userID + request time). Server-side just decrypt and make sure it's the right userID and the request time was reasonably recent.

Aside from someone sniffing the user's traffic, is this completely secure? Are there any downsides?

© Stack Overflow or respective owner

Related posts about security

Related posts about csrf