#34182 closed New feature (invalid)
Is there a reason only the headers are checked when using the csrf token?
| Reported by: | Joon Hwan 김준환 | Owned by: | nobody |
|---|---|---|---|
| Component: | CSRF | Version: | dev |
| Severity: | Normal | Keywords: | csrf, cookie |
| Cc: | Florian Apolloner | Triage Stage: | Unreviewed |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
It seems unnatural to put the token back in the body while using the httponly option.
If verify with a cookie (not x-csrftoken header), security is enhanced and it looks much cleaner.
Change History (2)
comment:1 by , 17 months ago
| Cc: | added |
|---|---|
| Resolution: | → invalid |
| Status: | new → closed |
comment:2 by , 17 months ago
If there are tokens that attackers can't control, why do we need comparisons with tokens we can control?
Aren't uncontrollable tokens enough?
Note:
See TracTickets
for help on using tickets.
As far as I'm aware, using only the cookie, is not sufficient. Quoting Florian: "Django compares the token from the cookie (which an attacker can't control) to the header/post-data which the attacker can control. Hence you will always need the cookie and the header or post-data."