I recently realized that a few production web applications I was running. Diddnt have csrf protection for the login page.
It is only after authentications where csrf protection kicks in.
I was just wondering if there are reasons why developers/administrators would do this. Could it be due to the heavy load of tracking anonymous users? just thinking out load.
love to hear from all of yall!
cheers
Jiachen:)
CSRF involves silent exploits while the user is already logged in the browser (in another tab lets say).
If he is not, that request would not do anything, or simply reveal the attack by popping a login form.
So, to defend stupid web user from harming themselves, yeah I guess you could try to carry some antiCSRF token. But now, tell me how you begin that antiCSRF protection again? How could I possibly post my anticsrf token along the login form the first time? I would have to land on the / or something else to get the anticsrf token while receiving the login page. But most site have the login form straight in the first landing page. Hence the browser cannot present an antiCSRF token on first request (cannot use cookies, because it would be sent by browser even during the attacking request).
Anyway, that's my guess.