Taken over a web application project, to find out some form action scripts are checking for a certain cookie value to be present - usually nothing more than just the name (attribute) of the form. The cookie values are normally set on the form page before submitting the form. Aside from this no other security measure is taken. The posted values are accessed directly without exposed to any filtering, and no csrf tokens are used. There is just this cookie check.
How safe and good is this as a practice?
I will surely implement posted variable filtering and the CSRF token check, but I want to know if I should remove the simple cookie value check
Aucun commentaire:
Enregistrer un commentaire