id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
10996	CSRF documentation doesn't note login CSRF vulnerability	smehmood	Luke Plant	"It is my understanding the the CsrfMiddleware module does not protect against the login CSRF attacks described in http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf. 
This post to the django-dev seems to confirm this:http://groups.google.com/group/django-developers/browse_thread/thread/ae525f270ed46933/5a339c6d64d40868?lnk=gst&q=csrf#5a339c6d64d40868

However, the documentation for the CsrfMiddleware class does not note this, despite having a specific 'Limitations' section. 
It also makes this false statement:
""POST requests that are not accompanied by a session cookie are not protected, but they do not need to be protected, since the 'attacking' Web site could make these kind of requests anyway.""

Two things:

1) The fact that an attacking website could make the requests anyway is not a reason to say they don't need to be protected. It might be more accurate to say that such requests are not authenticated, and thus, are unlikely to perform sensitive actions.
2) This statement ignores the possibility of login CSRFs. These are requests that do not have a session cookie, but /do/ need to be protected.



"		closed	Documentation	1.0		fixed	CSRF		Accepted	0	0	0	0	0	0