Opened 13 years ago
Closed 11 years ago
#15808 closed Bug (fixed)
CSRF token cookie does not utilize the "Secure" or "HttpOnly" flag
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | CSRF | Version: | 1.3 |
| Severity: | Normal | Keywords: | CSRF Secure HttpOnly |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | yes |
| Easy pickings: | no | UI/UX: | no |
Description
I have observed that the CSRF token will not utilize the Secure or HttpOnly flags, even when the django is configured to protect session cookies using them. I would personally consider the lack of these flags a bug, as it could result in disclosure of the token value to an attacker, which would then allow them to preform CSRF attacks which would otherwise be prevented.
Because of the nature of the CSRF protection, I feel that having, at a minimum, the ability to configure the Secure flag should be included, and possibly a default setting, I understand that jquery and javascript may have need to access the token for submission of data, so HttpOnly as a default may not work in many environments.
Change History (6)
comment:1 by , 13 years ago
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
comment:2 by , 11 years ago
| Easy pickings: | unset |
|---|---|
| Resolution: | duplicate |
| Status: | closed → reopened |
| UI/UX: | unset |
The ticket that this is a duplicate of was closed as "fixed" but it did not implement (and did not discuss) a CSRF_COOKIE_HTTPONLY setting, similar to the SESSION_COOKIE_HTTPONLY setting that does already exist. The implementation would be very simple. The set_cookie() function already has a httponly argument. We just need to pass the value of the new setting to it when creating the cookie.
I'm not sure if the "not critical" comment was referring to the HttpOnly aspect of this ticket, or just the Secure aspect, since the justification mentions strict referer checking over HTTPS (only?)
Either way, clients often perform their own security analysis on sites and make recommendations, and I have one such report in front of me that says I should be setting HttpOnly for the CSRF (and session, which is possible thanks to the SESSION_COOKIE_HTTPONLY setting) cookie. I'd rather respond to them with "done" instead of "not done, but its not critical because we have strict referer checking for CSRF protection".
I can patch my local copy of Django, but is there actually a reason to *not* implement this? I can contribute a patch if this is accepted.
comment:3 by , 11 years ago
There is an open pull request for this issue: https://github.com/django/django/pull/150
comment:4 by , 11 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
I concur with Luke that it's not strictly necessary, but I don't see any reason why we shouldn't make the option available; we have precedent in SESSION_COOKIE_HTTPONLY, so I don't see why we shouldn't offer CSRF_COOKIE_HTTPONLY as well. It's not like it's going to *reduce* security. Call it a feature, not a bug :-)
comment:5 by , 11 years ago
| Has patch: | set |
|---|---|
| Patch needs improvement: | set |
The PR has tests and docs but it no longer applies cleanly.
It shouldn't be hard to update, though.
comment:6 by , 11 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
Duplicate of #14134.
I'm not going to categorize as a bug, because over HTTPS we also have strict referer checking for CSRF protection, so leaking of the token is not a critical issue.