Csrf: when is it updated/generated?
17 views
Skip to first unread message
Stefano Tranquillini
Apr 28, 2016, 11:24:40 AM4/28/16
to Django users
Hello,
i was running a test on a website i dev with django and the system pointed out that "There are indications that attempts to protect against CSRF is in place. By using two different sessions the same tokens were retrieved. This may indicate a buggy behavior in the protection mechanism." . By checking it out I opened two tabs of the login page and both have the same csfr token. This sounds strange to me, but maybe is not.
I've tried to look into the doc or in the group but I can't figure out if it's an intended behaviour or what.
When is a csfr generate/updated?
thanks.
Tim Graham
Apr 28, 2016, 12:30:15 PM4/28/16
to Django users
Stefano Tranquillini
Apr 28, 2016, 3:16:10 PM4/28/16
to Django users
it says "A CSRF cookie that is set to a random value (a session independent nonce, as it is called)," and later "For security reasons, the value of the CSRF cookie is changed each time a user logs in."
The value is the same in the two tabs because i've not performed the login, right? (and it reads the data from the cookie file) but from the first sentence it seems that every time i refresh the page (so i open it in a new tab) it should change (but if the value is in the cookie then it's not).
Michal Petrucha
Apr 28, 2016, 4:23:07 PM4/28/16
to django...@googlegroups.com
On Thu, Apr 28, 2016 at 12:16:10PM -0700, Stefano Tranquillini wrote:
> it says "A CSRF cookie that is set to a random value (a session independent
> nonce, as it is called)," and later "For security reasons, the value of
> the CSRF cookie is changed each time a user logs in."
>
> The value is the same in the two tabs because i've not performed the login,
> right? (and it reads the data from the cookie file)
That is mostly correct, but it's really more a matter of how browsers
> it says "A CSRF cookie that is set to a random value (a session independent
> nonce, as it is called)," and later "For security reasons, the value of
> the CSRF cookie is changed each time a user logs in."
>
> The value is the same in the two tabs because i've not performed the login,
> right? (and it reads the data from the cookie file)
treat cookies – usually, in the same browser window, different tabs
will use the same cookies when loading the same domain, unless one of
those tabs is in “private” mode and the other is not, in which case
they will be independent. But as I said, this depends on how the
browser isolates tabs and/or windows from each other.
> but from the first
> sentence it seems that every time i refresh the page (so i open it in a new
> tab) it should change (but if the value is in the cookie then it's not).
value if there was no value provided in the request. That means, if it
has already set the value of the CSRF cookie in this session, the same
value will be reused until either the cookie expires, or you log in,
in which case it will be reset by Django.
Does this help clear things up a bit?
Michal
Reply all
Reply to author
Forward
0 new messages