OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

odata message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Commented: (ODATA-262) Specify how OData services can be protected against cross-site request forgery (CSRF or XSRF)

    [ http://tools.oasis-open.org/issues/browse/ODATA-262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=32779#action_32779 ] 

Ralf Handl commented on ODATA-262:
----------------------------------

CSRF protection needs some token that is not automatically sent by the user agent (that's why cookies are not helpful here). 

For authentication on the other hand session tokens that are automatically sent by the user agent (i.e. cookies) are extremely helpful as they allow exploring protected services/resources with standard tools (browsers). If the session token would only be sent in a header, easy exploration of OData services would become impossible.

That's why separating authentication/session tokens in cookies from anti-CSRF tokens in headers seems a good idea.

Using the same token in a cookie and a header may or may not introduce a security hole.

> Specify how OData services can be protected against cross-site request forgery (CSRF or XSRF)
> ---------------------------------------------------------------------------------------------
>
>                 Key: ODATA-262
>                 URL: http://tools.oasis-open.org/issues/browse/ODATA-262
>             Project: OASIS Open Data Protocol (OData) TC
>          Issue Type: New Feature
>          Components: OData Protocol 
>    Affects Versions: V4.0_WD01
>         Environment: [Proposed]
>            Reporter: Ralf Handl
>             Fix For: V4.0_WD01
>
>
> A good CSRF protection pattern is that the server issues a CSRF token that is communicated to the in a special header in responses to GET requests.
> This CSRF token must be included in a special header in subsequent modifying requests.
> To guarantee interoperability between different OData implementations the choreography, header names, and header formats must be standardized.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]