Comments on: How can any web page log you off all other websites? http://www.acunetix.com/blog/web-security-zone/articles/how-can-any-web-page-log-you-off-all-other-websites/ Acunetix Web Application Security Blog Fri, 10 Sep 2010 07:00:50 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Sandro http://www.acunetix.com/blog/web-security-zone/articles/how-can-any-web-page-log-you-off-all-other-websites/comment-page-1/#comment-546 Sandro Mon, 29 Dec 2008 23:10:40 +0000 http://www.acunetix.com/blog/?p=237#comment-546 Hi Kristian Yes if the secret is only used once, then that would be a nonce. However it appears to me that many sites do not use a nonce .. the secret does not change with each request. While they do not make use of a nonce, they still defeat CSRF attacks. Nonce would be an interesting solution but it might increase overheads on high traffic sites while not having enough benefits over a static secret. Hi Kristian

Yes if the secret is only used once, then that would be a nonce. However it appears to me that many sites do not use a nonce .. the secret does not change with each request. While they do not make use of a nonce, they still defeat CSRF attacks.

Nonce would be an interesting solution but it might increase overheads on high traffic sites while not having enough benefits over a static secret.

]]> By: Kristian Erik Hermansen http://www.acunetix.com/blog/web-security-zone/articles/how-can-any-web-page-log-you-off-all-other-websites/comment-page-1/#comment-545 Kristian Erik Hermansen Mon, 29 Dec 2008 17:43:17 +0000 http://www.acunetix.com/blog/?p=237#comment-545 It's called a 'nonce' :-) http://en.wikipedia.org/wiki/Cryptographic_nonce It’s called a ‘nonce’ :-)
http://en.wikipedia.org/wiki/Cryptographic_nonce

]]>