Changes between Initial Version and Version 1 of Ticket #32800
- Timestamp:
- May 31, 2021, 1:14:16 PM (3 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #32800 – Description
initial v1 5 5 6 6 Some advantages of not masking the cookie are: It would simplify the code in `CsrfViewMiddleware` because it would remove some complexity and operations that aren't needed for security. Currently, masking the CSRF cookie is a red herring for someone wanting to understand the various security features. Also, not masking the cookie would make requests and responses smaller when `CSRF_USE_SESSIONS` is false or when true and cookie-based sessions are used. This is because masking doubles the length of the string. 7 8 This can be changed fairly easily while (1) continuing to respect masked cookie values, and (2) not forcing session stores to update their cookie in its unmasked form if they are currently storing it masked.