Form csrf issues: insecure by default, race condition
17 views
Skip to first unread message
laundmo
Sep 11, 2025, 1:01:18 PMSep 11
to py4web
Hi Massimo,
I have pages on which i insert multiple forms using ajax/js. On those specific pages i had a odd issue which i was finally able to track down:
Because of the way CSRF without passing a csrf_session is implemented, it means that if multiple requests generate forms at the same time, they each get a new csrf private key cookie. Each form response then overwrites the cookie from previous form requests, meaning only the last form to arrive can verify csrf, as for the previous ones the private key is wrong. But thats not the most baffling thing:
Why is the private key set as a cookie? That defeats the entire purpose of csrf: if the private key is just a cookie, an attacker can decode and re-encode the jwt token, or even send back their own private key to be used.
I would strongly encourage the following:
- Disable CSRF entirely instead of making it look like its working, but having it be this insecure
- Use a static private key, like the SESSION_SECRET_KEY used for session storage
As it currently stands, i can of course make it far more secure by providing the csrf_session, but thats easy to forget compared to just having a global secret key for the jwt.
I have pages on which i insert multiple forms using ajax/js. On those specific pages i had a odd issue which i was finally able to track down:
Because of the way CSRF without passing a csrf_session is implemented, it means that if multiple requests generate forms at the same time, they each get a new csrf private key cookie. Each form response then overwrites the cookie from previous form requests, meaning only the last form to arrive can verify csrf, as for the previous ones the private key is wrong. But thats not the most baffling thing:
Why is the private key set as a cookie? That defeats the entire purpose of csrf: if the private key is just a cookie, an attacker can decode and re-encode the jwt token, or even send back their own private key to be used.
I would strongly encourage the following:
- Disable CSRF entirely instead of making it look like its working, but having it be this insecure
- Use a static private key, like the SESSION_SECRET_KEY used for session storage
As it currently stands, i can of course make it far more secure by providing the csrf_session, but thats easy to forget compared to just having a global secret key for the jwt.
Reply all
Reply to author
Forward
0 new messages