--- [EMAIL PROTECTED] wrote: > Hello Curt, > > Yes, the /. system depends on cookies to keep the user logged > in. > > However a CSRF attack is NOT trying to access a third party > cookie. > > The web browser make the same GET request whether it is using > <img/> TAG or the user clicking on a link. So in either case > the cookies are in the context of the website to which the > cookies belong. > > Maybe Chris can correct me, if I am wrong here.
Well, you're not really wrong, but I think I can clarify what Curt was trying to say, and then he can correct me if I'm wrong. :-) When a browser makes a request for an embedded resource (an image is just one example), it is identical to the request it would make if the user were to browse to that same URL manually. I think we're all in agreement here. Thus, the same cookies would be included in this request. What Curt is suggesting, I believe, is that your version of IE might behave differently, by default. It might not include cookies in requests for embedded resources when those resources are located at a different domain (thus his mention of third-party cookies). For example, if you're at http://example.org/, and it has an image from http://slashdot.org/, the browser won't include it's slashdot.org cookies when making the request to Slashdot. This is an option for most browsers, but it has never been the default behavior for any, to my knowledge. Maybe that helps clarify something... :-) Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
