Do I need an anonymous csrf comment / mailbox? If not, why does SO use it and how to implement it?

Question

Do I need an anonymous csrf comment / mailbox? If not, why does SO use it and how to implement it?

It discusses how this is on SO, arguing that csrf protection is not required for anonymous forms. Looking at the stackoverflow HTML code, if you are not logged in, you can see the csrf token if sent to an anonymous user.

How does this csrf token help protect an anonymous user?
The csrf character must be associated with a user session identifier. What equivalent is used for an anonymous user? IP address?

+4

security csrf csrf-protection

ali Jun 10 '15 at 21:48

source share

2 answers

Neil Smithline · Answer 1 · 2015-06-11T04:04:54+0000

How does this csrf token help protect an anonymous user?

, CSRF. , - , . , , CSRF (, ). , . CSRF ( ).

, CSRF. , , JavaScript , CSRF. , , .

csrf . ? IP-?

- . , PHP $_ SESSION. cookie . CSRF.

SilverlightFox · Answer 2 · 2015-06-11T11:18:02+0000

.

csrf ?

, . (IP-, , , cookie ..), . , CSRF, , Origin referer.

csrf . , ? IP-?

, CSRF. Double Submit Cookies.

, :

HTTP- HTML- Set-Cookie: , .
, cookie, , .

"" , , cookie , (.. , ).

Do I need an anonymous csrf comment / mailbox? If not, why does SO use it and how to implement it?

More articles: