3 comments

[ 3.0 ms ] story [ 18.2 ms ] thread
Terrible, Terrible advice.

Here's an actual quote from the article:

"...unless you are operating at the size of Reddit, you will not need 'stateless sessions'." So for the rest of 99% of the technology world, you don't need stateless session because TFA says so.

Why would the advice be terrible?

There are some "hard" trade-offs in using stateless sessions and the article argues that you are better off storing sessions on the server, as long as it doesn't start costing you more than dealing with such trade-offs.

This line is just incorrect:

> The only correct CSRF mitigation is a CSRF token

Custom headers are better, imho, if you have an ajax-driven app. There is 0 chance of csrf ever happening if you require the session token be passed in a custom header and hold the session value in localstorage.

Source: I am an infosec professional.