On Sep 23, 11:02 pm, Jan Oberst <[EMAIL PROTECTED]> wrote: > Adding a signed field with a timestamp would be a much easier way to > secure forms. But it's not nearly as as secure as having the token > signed with an additional cookie. By setting a signed cookie you can > verify that this very form was displayed to this very client. Also, > you don't want to expire a form too early for people who just type > slow. And if a token is available for too long someone can generate a > proper token and then use it for an attack for too long.
The additional cookie is pointless. A single random-enough cookie is enough to differentiate between two users, and that's all you need. You can then use this cookie to include it in the signature. Here's a snippet to explain what I mean: http://www.djangosnippets.org/snippets/1082/ You start with the assumption of a secret unique user cookie (which I'll affectionately refer to as "the cookie"). The only two things that the user gets in plain text are the timestamp and the salt. The salt is probably unnecessary, but what the heck. Nonces are cool. To this information you add the signature of [timestamp, salt, form class name, the cookie], and that's your token. The form class name is probably unnecessary as well. So to CSRF the form now, you need to recreate the token -> you need to recreate/acquire the above signature. Recreate is a no-go because you don't know the site's SECRET_KEY. Acquiring would work using our site as a black box, but only if you knew the cookie -> contradicts our assumptions. Uh, come to think about it, it seems the secret cookie is enough, the rest is just superfluous. But it might be just my brain farting. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
