Is CSRF possible without Cookies?

I have been investigating this for some time, but I haven't found anything to satisfy my curiosity. Is it possible, as a user, to be the victim of a CSRF attack if cookies are disabled. Obviously CSRF depends on t开发者_运维问答he users browser to send the user's credentials with the forged request to the legitimate server. Besides IP addresses, browsers don't automatically send in any other session values do they? In that case, as long as a user can login with cookies disabled, they would be safe from CSRF even on vulnerable websites.

So, you have to ask yourself how does the server know one client from another? In majority of cases, it is the session cookie, but there are other ways as well.

Consider an admin application, that is configured to work only if accessed from localhost. Here, the server is trusting the IP Address of the browser. Now, if an attacker creates a page like <img src="http://localhost/do/something/harmful"/>, and somehow gets the administrator to visit his page, you have a CSRF.

Other examples include abusing Http basic and digest authentication, as Bruno already pointed out.

There are other forms of authentication supported by browsers, in particular HTTP Basic and HTTP Digest, as well as SSL/TLS client-certificates. Unfortunately, the interface to "log out" when using these mechanisms is usually fairly poor. Unlike cookies and forms, stopping to use the credentials is controlled by the browser (not by the server and its cookies), but the buttons are at best in some advanced menu in general (if they exist at all).