Re: [Django] #16859: Allow storing CSRF tokens in sessions (was: CSRF Improvements)

Mon, 04 Jan 2021 15:17:26 -0800 

#16859: Allow storing CSRF tokens in sessions
-------------------------------+------------------------------------------
     Reporter:  Paul McMillan  |                    Owner:  Raphael Michel
         Type:  New feature    |                   Status:  assigned
    Component:  CSRF           |                  Version:  master
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Accepted
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+------------------------------------------
Changes (by Tim Graham):

 * owner:  Paul McMillan => Raphael Michel
 * status:  new => assigned
 * type:  Cleanup/optimization => New feature


Old description:

> This is a ticket to keep track of general CSRF improvements we want to
> add to Django.
>
> This includes:
>
>  * #16010 - add Origin checking
>  * Optionally tie CSRF to sessions
>  * Use signing to improve CSRF (maybe with sessions)
>  * Improve domain/host checking - deal with the subdomain to subdomain
> problem

New description:

 Storing the CSRF token in a cookie (Django's default) is safe, but storing
 it in the session is common practice in other web frameworks and therefore
 sometimes demanded by security auditors.

--

Comment:

 I'm going to retitle this ticket for the work that was done and close it.

 If there's remaining work from items in the old description (below), let's
 open new tickets to track them individually.

 > This is a ticket to keep track of general CSRF improvements we want to
 add to Django. This includes:
 >   * #16010 - add Origin checking
 >   * Optionally tie CSRF to sessions [done in this ticket]
 >   * Use signing to improve CSRF (maybe with sessions)
 >   * Improve domain/host checking - deal with the subdomain to subdomain
 problem

-- 
Ticket URL: <https://code.djangoproject.com/ticket/16859#comment:13>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/063.64dd6c882b587201024dc501e15ee28e%40djangoproject.com.

Reply via email to