Mastodon Feed
Reblogged by nadim@symbolic.software ("Nadim Kobeissi"):
neilmadden@infosec.exchange ("Neil Madden") wrote:
Throwaway idea for a novel #CSRF defence: use an encrypted session cookie, but with a random key that then becomes the anti-csrf token. Now you are guaranteed that the session cookie cannot be used without the csrf token.