Reputation: 1487
Is a website without authentication vulnerable to CSRF?
I just started learning about CSRF. As per OWASP CSRF Article
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated
If a website doesn't accept any user authentication or if authentication information is not stored in cookies does that mean that it is not vulnerable to CSRF.
I developed a website which asks user to enter his ticket information, checks info with database, if correct user will be navigated to a page where he needs to provide his credit card information and his record will be updated. Do I need to worry about CSRF? Or ticket information itself is considered as authentication?
Upvotes: 1
Views: 157
Answers (1)
Reputation: 6198
You have to worry about cross site request forgery if your site uses sessions that allow users to do privileged actions. Since I assume that you create a session property indicating that the user's ticket info is valid, yes you do.
Upvotes: 2
Related Questions
- Are there CSRF attacks that don't use cookies?
- Do I need CSRF-protection without users or login?
- CSRF: Do I need to use CSRF token for no cookies site?
- Authentication without CSRF token
- Do I need to enable CSRF protection?
- a real CSRF attack?
- Is it a security risk to include 'CSRF token' in pages requiring no authentication?
- No need for CSRF protection?
- Is CSRF possible without Cookies?
- Am I under risk of CSRF attacks in a POST form that doesn't require the user to be logged in?