[Django] #34182: Is there a reason only the headers are checked when using the csrf token?

5 views
Skip to first unread message

Django

unread,
Nov 24, 2022, 8:45:53 PM11/24/22
to django-...@googlegroups.com
#34182: Is there a reason only the headers are checked when using the csrf token?
--------------------------------------------+------------------------------
Reporter: Joon Hwan 김준환 | Owner: nobody
Type: New feature | Status: new
Component: CSRF | Version: dev
Severity: Normal | Keywords: csrf, cookie
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
--------------------------------------------+------------------------------
It seems unnatural to put the token back in the body while using the
httponly option.
If verify with a cookie (not x-csrftoken header), security is enhanced and
it looks much cleaner.

--
Ticket URL: <https://code.djangoproject.com/ticket/34182>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Nov 25, 2022, 12:03:17 AM11/25/22
to django-...@googlegroups.com
#34182: Is there a reason only the headers are checked when using the csrf token?
----------------------------------+--------------------------------------

Reporter: Joon Hwan 김준환 | Owner: nobody
Type: New feature | Status: closed
Component: CSRF | Version: dev
Severity: Normal | Resolution: invalid

Keywords: csrf, cookie | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
----------------------------------+--------------------------------------
Changes (by Mariusz Felisiak):

* cc: Florian Apolloner (added)
* status: new => closed
* resolution: => invalid


Comment:

As far as I'm aware, using only the cookie, is not sufficient. Quoting
[https://code.djangoproject.com/ticket/23040#comment:1 Florian]: ''"Django
compares the token from the cookie (which an attacker can't control) to
the header/post-data which the attacker can control. Hence you will always
need the cookie and the header or post-data."''

--
Ticket URL: <https://code.djangoproject.com/ticket/34182#comment:1>

Django

unread,
Nov 25, 2022, 7:40:48 AM11/25/22
to django-...@googlegroups.com
#34182: Is there a reason only the headers are checked when using the csrf token?
----------------------------------+--------------------------------------
Reporter: Joon Hwan 김준환 | Owner: nobody
Type: New feature | Status: closed
Component: CSRF | Version: dev
Severity: Normal | Resolution: invalid
Keywords: csrf, cookie | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
----------------------------------+--------------------------------------

Comment (by Joon Hwan 김준환):

If there are tokens that attackers can't control, why do we need
comparisons with tokens we can control?
Aren't uncontrollable tokens enough?

--
Ticket URL: <https://code.djangoproject.com/ticket/34182#comment:2>

Reply all
Reply to author
Forward
0 new messages