Changes between Initial Version and Version 13 of Ticket #16859


Ignore:
Timestamp:
01/04/21 23:17:21 (23 months ago)
Author:
Tim Graham
Comment:

I'm going to retitle this ticket for the work that was done and close it.

If there's remaining work from items in the old description (below), let's open new tickets to track them individually.

This is a ticket to keep track of general CSRF improvements we want to add to Django. This includes:

  • #16010 - add Origin checking
  • Optionally tie CSRF to sessions [done in this ticket]
  • Use signing to improve CSRF (maybe with sessions)
  • Improve domain/host checking - deal with the subdomain to subdomain problem

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #16859

    • Property Status changed from new to assigned
    • Property Cc cmawebsite@… mail@… added
    • Property Summary changed from CSRF Improvements to Allow storing CSRF tokens in sessions
    • Property Version changed from 1.3 to master
    • Property Owner changed from Paul McMillan to Raphael Michel
    • Property Type changed from Cleanup/optimization to New feature
  • Ticket #16859 – Description

    initial v13  
    1 This is a ticket to keep track of general CSRF improvements we want to add to Django.
    2 
    3 This includes:
    4 
    5  * #16010 - add Origin checking
    6  * Optionally tie CSRF to sessions
    7  * Use signing to improve CSRF (maybe with sessions)
    8  * Improve domain/host checking - deal with the subdomain to subdomain problem
     1Storing the CSRF token in a cookie (Django's default) is safe, but storing it in the session is common practice in other web frameworks and therefore sometimes demanded by security auditors.
Back to Top