Hi everyone:
Currently, the CSRF token for anonymous users are very predictable. This potentially allows someone to make CSRF attacks against non-logged in users. I would like to propose we change that. Since this is a sort of major change, I'd appreciate everyone's feedback.
There are multiple proposals on the bug - https://phabricator.wikimedia.org/T40417#2612673 . Its unclear which solution we should chose.
Personally, my preferred solution [0] [I might be biased in evaluating them] would be to base the CSRF token on a session cookie if one exists. If one does not exist, use a HMAC of the users IP addressed, keyed using a server side secret (The only state an Anon has is what IP address it is, so this should be safe). This way it will work for users without cookies (Maybe none exist, but I like the idea you can edit wikipedia without cookies) and for users who have rapidly changing IPs. It will also have minimal breakage, as you won't have to adjust any existing usages of tokens (For example, on special pages). It also ensures that users are not forced to skip varnish cache (from session cookie) unless they really need to.
Anyways, I'd appreciate everyone's comments. I would really like to settle on a specific implementation, and then go do it.
[0] https://phabricator.wikimedia.org/T40417#2034118
-- Bawolff