I thought, rather, that the csrf token was a cookie that was put in a hidden form field.
With firebug or webkit dev tools you can see the django csrf token in the cookies. I would also refer you to middleware/csrf.py, where you can see it doing the set_cookie. I thought the security of the csrf token relied on the fact that the 3rd party wouldn't know what value to put in the hidden form field. The csrf middleware is, I believe, validating the value in the form field, against the value in cookie. But when it creates the form, it uses the value in the cookie. If the token is stored in an insecure cookie, it can be sniffed. Then I don't understand what prevents the attacker from constructing a valid form. On Wed, Feb 9, 2011 at 11:36 AM, Ian Clelland <clell...@gmail.com> wrote: > On Wed, Feb 9, 2011 at 11:23 AM, Brian Craft <bc...@thecraftstudio.com> wrote: >> I notice that the csrf token is not secure, i.e. the Set-Cookie is >> constructed w/o the "secure" option, so the browser will send it >> in-the-clear. It's trivial, then, for a 3rd party to discover the csrf >> token. >> >> Am I missing something? > > The CSRF token isn't a cookie (or at least, it shouldn't be) -- it's a > form field. The security principle behind the CSRF token isn't so much > that it's not discoverable, as much as that an attacker can't > construct a link that gets your browser to submit it to the server. > > If you site is under SSL (you're talking about secure-only cookies, so > I presume that this is the case,) then the CSRF token should only > appear in the HTML forms that the server sends to your browser, and > the POST requests that your browser makes back, both of which should > be protected. > > If the CSRF token was set in a cookie, then it would be sent with > every single request that the browser made, and it really would be > trivial for an attacker to get you to make a valid request of the web > server, whether he could discover the contents of that cookie or not. > (SSL wouldn't even help; he could construct an https:// link just as > easily.) That's not how it's supposed to be set up, though. > > -- > Regards, > Ian Clelland > <clell...@gmail.com> > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To post to this group, send email to django-users@googlegroups.com. > To unsubscribe from this group, send email to > django-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
