Hacker News new | past | comments | ask | show | jobs | submit login

This would be unable if OkCupid stored its credentials in sessionStorage or localStorage instead of cookies, right?



With modern browsers, there are almost a dozen ways to defend against csrf. You can use sessionStorage and force all requests to be XHR. Set the “new” flag on session cookies to not transmit cross origin. Check the origin header for all POST requests. Set a token in the forms (the “classic” way).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: