httpauth.py, cookies.fhtml: Randomize CSRF token to prevent BREACH.

[chopwood] / cookies.fhtml

diff --git a/cookies.fhtml b/cookies.fhtml
index f8862b33d9e68adef882d5b0d77160516d5cd800..58b725e9a5be5a5cded48f6a4767d88147c42db1 100644 (file)
--- a/cookies.fhtml
+++ b/cookies.fhtml
@@ -59,9 +59,9 @@ message whenever you hit the reload button.
 <p>If you actually look at the cookie, you find that it looks something like
 this:
 <blockquote>
-  <tt>1357322139.HFsD16dOh1jjdhXdO%24gkjQ.eBcBNYFhi6sKpGuahfr7yQDzqOJuYZZexJbVug9ultU.mdw</tt>
+  <tt>1357322139.eBcBNYFhi6sKpGuahfr7yQDzqOJuYZZexJbVug9ultU.mdw</tt>
 </blockquote>
-(Did I say something about long and ugly?)  It consists of four pieces
+(Did I say something about long and ugly?)  It consists of three pieces
 separated by dots &lsquo;<tt>.</tt>&rsquo;.
 
 <dl>
@@ -70,13 +70,6 @@ separated by dots &lsquo;<tt>.</tt>&rsquo;.
 seconds since 1974&ndash;01&ndash;01 00:00:00 UTC (or what would have been
 that if UTC had existed back then in its current form).
 
-<dt>Nonce
-<dd>This is just a random string.  When you change a password, the server
-checks that the request includes a copy of this nonce, as a protection
-against
-<a href="http://en.wikipedia.org/wiki/Cross-site_request_forgery"><em>cross-site
-request forgery</em></a> attacks.
-
 <dt>Tag
 <dd>This is a cryptographic check that the other parts of the token
 haven&rsquo;t been modfied by an attacker.