Chris Shiflett has a new posting on his blog with something that could make you think twice about how secure your site really is - session riding.

I recently discovered a PDF that describes something called Session Riding. Having no idea what session riding is, I decided to read it. From the introduction: In this paper we describe an issue that was raised in 2001 under the name of Cross-Site Request Forgeries (CSRF). It seems, though, that it has been neglected by the software development and Web Application Security community, as it is not part of recent Web Application Security discussions, nor is it mentioned in OWASP's Top Ten or the like.

[...] In short: with Session Riding it is possible to send commands to a Web application on behalf of the targeted user by just sending this user an email or tricking him into visiting a (not per se malicious but) specially crafted website.

This is actually completely backward. With CSRF, the victim unknowingly sends requests of the attacker's choosing to the target site. The attacker does not send "commands" (requests) on behalf of the victim. To be fair, the rest of the document demonstrates a correct understanding of CSRF, so this is apparently an honest mistake.

Thankfully, they do also provide a few suggestions as to what you can do to help alleviate this situation, including the use of a "Secret hash" inside the session to validate that the user really is who they say they are. It would add a bit more overhead to check that on each request, but at least your site would be that much safer...