is there an easy way to handle a unique http and https CSRF tokens ?

[Jonathan Vanasco]

We strive for 100% HTTPS, but need to support some HTTP endpoints.  Those endpoints have CSRF needs.

I'm in the process of migrating to the new cookie based csrf policy, and it doesn't seem like there is an easy way to run different tokens on HTTP vs HTTPS short of writing a new ICSRFStoragePolicy utility and plugin.  Has anyone worked on this before?

[Michael Merickel]

> I'm in the process of migrating to the new cookie based csrf policy, and it doesn't seem like there is an easy way to run different tokens on HTTP vs HTTPS short of writing a new ICSRFStoragePolicy utility and plugin.  Has anyone worked on this before?

Specialized use-cases are the reason we added the ability to provide a custom storage policy. You'll probably want to write one.

On Mon, Dec 4, 2017 at 12:25 PM, Jonathan Vanasco <jona...@findmeon.com> wrote:

We strive for 100% HTTPS, but need to support some HTTP endpoints.  Those endpoints have CSRF needs.

I'm in the process of migrating to the new cookie based csrf policy, and it doesn't seem like there is an easy way to run different tokens on HTTP vs HTTPS short of writing a new ICSRFStoragePolicy utility and plugin.  Has anyone worked on this before?

--
You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscribe@googlegroups.com.
To post to this group, send email to pylons-discuss@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/0e098559-5bdc-4e71-8f23-a8ab891f2957%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jonathan Vanasco]

On Monday, December 4, 2017 at 3:31:19 PM UTC-5, Michael Merickel wrote:

> I'm in the process of migrating to the new cookie based csrf policy, and it doesn't seem like there is an easy way to run different tokens on HTTP vs HTTPS short of writing a new ICSRFStoragePolicy utility and plugin.  Has anyone worked on this before?

Specialized use-cases are the reason we added the ability to provide a custom storage policy. You'll probably want to write one.

Thanks, Michael! I didn't really think this was that specialized, and wanted to ensure I wasn't missing anything obvious.  

Building a custom policy is pretty easy - it only took about 30 minutes to prototype with unit tests.

[Jonathan Vanasco]

I ended up writing a small utility with debugtoolbar support for this https://github.com/jvanasco/pyramid_csrf_multi_scheme

I'm not entirely sure it's needed, but leaned towards "better safe than sorry".