Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#34182 closed New feature (invalid)

Is there a reason only the headers are checked when using the csrf token?

Reported by: Joon Hwan 김준환 Owned by: nobody
Component: CSRF Version: dev
Severity: Normal Keywords: csrf, cookie
Cc: Florian Apolloner Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

It seems unnatural to put the token back in the body while using the httponly option.
If verify with a cookie (not x-csrftoken header), security is enhanced and it looks much cleaner.

Change History (2)

comment:1 by Mariusz Felisiak, 2 years ago

Cc: Florian Apolloner added
Resolution: invalid
Status: newclosed

As far as I'm aware, using only the cookie, is not sufficient. Quoting Florian: "Django compares the token from the cookie (which an attacker can't control) to the header/post-data which the attacker can control. Hence you will always need the cookie and the header or post-data."

comment:2 by Joon Hwan 김준환, 2 years ago

If there are tokens that attackers can't control, why do we need comparisons with tokens we can control?
Aren't uncontrollable tokens enough?

Note: See TracTickets for help on using tickets.
Back to Top