CSRF Token: is it okay if it is attached to my url when I enter my form?

[Sabine Maennel]

Please help: I am confused whether it is okay that it is showing in the url like this:

http://netteachers.de/bewerbung/formular?csrfmiddlewaretoken=2jKsplZsQx5XpBfltUaDmgJjhRiCllxQ

This happens when I enter my form ( a CreateView Model Form)? Is that oky or a security risk of any kind?

[Babatunde Akinyanmi]

I don't think its risky to have csrf token in the url since its in open view in the page's source anyway (I'm not a security expert so that with a very large bag of salt). However you would have that behavior when you are submitting a form with a GET. You should use POST to submit your form instead of GET.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/2e571910-4d1d-4066-9c60-9632f2613f88%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Collin Anderson]

However you would have that behavior when you are submitting a form with a GET. You should use POST to submit your form instead of GET.

Yes, use:

<form method="post">

 

[Sabine Maennel]

Thank you Collin and Thundebabzy, 

you identified the problem I think. When I call  the form for the first time it is called the wrong way. I will fix this!

[Wyatt Baldwin]

It sounds like you fixed the underlying issue, but I wanted to answer the original question anyway.

I think it's less than ideal to expose the CSRF token in the URL. It's true that your users can view source and see the token, but putting it in the URL parameters means it will be in the browser history and may be logged on whatever servers are between the user's browser and your server. Although it's true that servers along the way could look at POST data, they shouldn't be logging it. I guess if you wanted to be truly secure you'd use HTTPS (or sneakernet), but it's good to minimize the possibility for attacks.