Hi there, I'd like to discuss the behavior of the 'csrftoken' cookie that is used for django's CSRF protection [1]. I noticed that the cookie content does not change when performing a login (like the 'sessionid' cookie does). According to [1] this seems to be the documented behavior: "This cookie is set by CsrfViewMiddleware. It is meant to be *permanent*" but the csrftoken content should change on login (like the sessionid cookie does). If the attacker is able to set the cookie (this can happen before the victim performs the login) he will know the nonce that is needed to bypass the CSRF protection: "The malicious user would have to know the nonce, which is user specific (using a cookie)." [2]
Do you agree that the 'csrftoken' cookie should be treated like the session cookie when it comes to fixation attack prevention (cookie should change on login)? Can this be fixed directly in the CsrfViewMiddleware or can/should developers address this in the webapplication? kind regards, Mike -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
