Opened 13 years ago

Closed 4 years ago

#16859 closed New feature (fixed)

Allow storing CSRF tokens in sessions

Reported by: Paul McMillan Owned by: Raphael Michel
Component: CSRF Version: dev
Severity: Normal Keywords:
Cc: cmawebsite@…, mail@… Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Tim Graham)

Storing the CSRF token in a cookie (Django's default) is safe, but storing it in the session is common practice in other web frameworks and therefore sometimes demanded by security auditors.

Change History (13)

comment:2 by Collin Anderson, 10 years ago

Cc: cmawebsite@… added

comment:3 by Asif Saifuddin Auvi, 10 years ago

Version: 1.3master

comment:4 by Raphael Michel, 9 years ago

In case other people at the #duth sprint are looking into this: Shai Berger is working on a new approach to generating the tokens and I'm working on the usage of sessions for token storage.

Last edited 9 years ago by Raphael Michel (previous) (diff)

comment:5 by Raphael Michel, 9 years ago

Cc: mail@… added

I submitted a first version of a patch for session storage of CSRF tokens: https://github.com/django/django/pull/5600

I'd love to have some review on this, but I'm fine with postponing the merge after Shai landed his changes to CSRF handling, as those two will get merge conflicts and his one will be the bigger change.

comment:6 by Tim Graham, 8 years ago

Has patch: set

comment:7 by Tim Graham <timograham@…>, 8 years ago

In ddf169c:

Refs #16859 -- Allowed storing CSRF tokens in sessions.

Major thanks to Shai for helping to refactor the tests, and to
Shai, Tim, Florian, and others for extensive and helpful review.

comment:8 by Tim Graham, 8 years ago

Has patch: unset

comment:9 by Tim Graham <timograham@…>, 8 years ago

In 33e86b34:

Refs #16859 -- Disabled CSRF_COOKIE_* checks when using CSRF_USE_SESSIONS.

comment:10 by Tim Graham <timograham@…>, 8 years ago

In 503e944a:

Refs #16859 -- Updated CSRF FAQ to mention CSRF_USE_SESSIONS setting.

comment:11 by Tim Graham <timograham@…>, 8 years ago

In 6bb01b0:

[1.11.x] Refs #16859 -- Updated CSRF FAQ to mention CSRF_USE_SESSIONS setting.

Backport of 503e944ac792498e7b38c799d8e4b06f74e9d65a from master

comment:12 by Ed Morley, 8 years ago

Currently the CSRF middleware performs strict Referer header checking, to (a) mitigate MITM attacks that set a cookie via plain HTTP, and (b) prevent issues with malicious subdomains.

If the new CSRF_USE_SESSIONS is set to True, does that mean both of those issues can no longer occur, and so the strict referrer checking is then not required? (Along the lines of: https://github.com/django/django/pull/5600#issuecomment-154797097)

comment:13 by Tim Graham, 4 years ago

Description: modified (diff)
Owner: changed from Paul McMillan to Raphael Michel
Status: newassigned
Summary: CSRF ImprovementsAllow storing CSRF tokens in sessions
Type: Cleanup/optimizationNew feature

I'm going to retitle this ticket for the work that was done and close it.

If there's remaining work from items in the old description (below), let's open new tickets to track them individually.

This is a ticket to keep track of general CSRF improvements we want to add to Django. This includes:

  • #16010 - add Origin checking
  • Optionally tie CSRF to sessions [done in this ticket]
  • Use signing to improve CSRF (maybe with sessions)
  • Improve domain/host checking - deal with the subdomain to subdomain problem

comment:14 by Tim Graham, 4 years ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.
Back to Top