On Mon, 2010-09-06 at 22:39 +0200, Patryk Zawadzki wrote: > Another approach would be not to use a cookie at all. For each {% > csrf_token %} use a slightly modified variant of the above > encode_cookie function with: > > values = { > 'host: request.META['HTTP_HOST'], > 'scheme': request.is_secure(), > 'user_ip': request.META['REMOTE_ADDR'], > 'user_agent': request.META['HTTP_USER_AGENT'], > 'ttl': time.time() + 30*60, > } > > Then when handling a POST request, decipher the token and compare each > META field with the ones from the request and validate ttl against > time.time(). I believe it's not less secure than the current > implementation and solves two problems: > > 1) each form served gets its own ttl, an attacker can't keep pinging > the server to keep the token alive > 2) each token serves for a single use and will inevitably timeout in > 30 minutes while still allowing you to open two forms in two browser > tabs and submit each of them separately
Your method is quite flawed: 1) Use of IP address - a bad idea for the reasons I mentioned in my other message. 2) The use of user agent does nothing to stop an attacker, even for an attacker who isn't a MitM: Consider an attacker who lures you to his site e.g.: http://evil.com/somepage.php somepage.php can read your user agent, and make a request to http://target.com/some-page-with-form/ with the same user agent to get a valid CSRF token. (If he is behind the same firewall as you, he will automatically have the same public IP, so adding the IP address is not a perfect cure for this, even if we could do it, which we can't). somepage.php then returns a page which has a form which targets http://target.com/some-page-with-form/ and includes the CSRF token. The token is valid and unused, and the attacker can proceed. I don't think that adding a timeout will really ever help with CSRF. The nature of CSRF attacks means that the attacker is massively more likely to be able to attack 'now' (which is within a few seconds, the time for a few HTTP requests to complete) rather than 'later', so timeouts just don't help. In addition, they add nuisance for the user - it's quite possible for someone to leave their machine for 30 minutes and come back to it and want to carry on what they were doing. Luke -- A mosquito cried out in pain: "A chemist has poisoned my brain!" The cause of his sorrow was para-dichloro- diphenyltrichloroethane Luke Plant || http://lukeplant.me.uk/ -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.