Django does not store csrftoken on the server.
Django provides the csrftoken in two places: 1) The cookie; 2) A
hidden form field.
When the browser makes a POST request, then:
All Django does after that is verify that the token it receives with (2) is the same as the token it receives with (1).
Why this helps? Because the attack it is designed to mitigate is one where you visit malicious-site.com which contains the following:
<form method="post" target="https://legitimate-site.com">
<input type="hidden" name="somename" value="somevalue">
<!-- More hidden fields that, if submitted successfully to
legitimate-site.com, will cause data loss or other problem -->
<input type="submit" value="A message that pretends that
when you click here something else is going to happen">
</form>
For this attack to succeed, malicious-site.com would need to
specify a csrftoken as, say, a hidden form field (which is
possible) AND provide the same token through a cookie. This is not
possible. malicious-site.com can't set cookies of another site.
The post request may indeed send a csrftoken as a cookie to
legitimate-site.com, but this will be the csrftoken received the
previous time the user visited legitimate-site.com. It will not be
the same as the csrftoken sent as a hidden field, because
malicious-site.com can't read cookies of another site, so it can't
possibly read that cookie and set the hidden field to its value.
Antonis Christofides +30-6979924665 (mobile)
In django you can either obtain a `csrftoken` from a cookie. Or the form can generate a nonce `csrftoken`. How does django validate both and where are they stored on the server. Are they stored as part of the session?
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/83f3da74-ecbc-4197-9627-0c9ab9e8492fn%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/7732c858-fd8c-53de-9a0f-99ae704ae4c6%40antonischristofides.com.
What if I can copy that cookie (samesite) in developer tools from legitimate-site.com and create a new cookie for malicious-site.com using developer tools. After I do that I make a request. Will it be successful?
I think it would probably work. (This is not a security issue,
though, since the user agrees. The problem is when
malicious-site.com tries to do something to legitimate-site.com
using the user's credentials without the user knowing.)
Antonis Christofides +30-6979924665 (mobile)
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAE%3DG6DY1gG71vdqEUiax%3DQqfuqukC%3Dyi-qo9zKnwyra4i3ujDw%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/af840a8d-5baa-dbed-faea-86d6e787be41%40antonischristofides.com.