I could be wrong, and would love to be corrected, but storing the CSRF token in a session cookie doesn't seem problematic to me since the cookie should only be readable by your origin.
It would only become a concern of you started allowing cross origin requests with credentials. On Apr 23, 2014 8:09 AM, "Anders Wegge" <awe...@gmail.com> wrote: > As I read the documentation for SignedCookieSessionFactory, the data > stored in the session is not encrypted. So storing a CSRF token in the > session Cookie is not a good option. Pyramid_beaker seem to have been > deprecated with release 1.5, so which options are the best for a site with > very few actions requiring CSRF and other session data. My first thought is > to pickle the session data, and storing them in a blob in the user > database, but if there is something simpler and/or more elegangt available, > I'd like to hear the alternatives. > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to pylons-discuss+unsubscr...@googlegroups.com. > To post to this group, send email to pylons-discuss@googlegroups.com. > Visit this group at http://groups.google.com/group/pylons-discuss. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To post to this group, send email to pylons-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
