Changes between Initial Version and Version 2 of Ticket #35796


Ignore:
Timestamp:
Nov 7, 2024, 3:57:50 PM (2 weeks ago)
Author:
Benjamin Zagorsky
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #35796

    • Property Component Core (Other)CSRF
    • Property Easy pickings unset
    • Property Keywords signing added
    • Property Resolutionwontfix
    • Property Status newclosed
    • Property Summary Add setting to sign CSRF cookieAdd signing support to the CSRF cookie
  • Ticket #35796 – Description

    initial v2  
    1 Django should have a setting `CSRF_COOKIE_SIGNED` that uses the cookie signing infrastructure to sign the CSRF cookie.  This would enable sites running on a subdomain of a shared domain name (ex. [SUBDOMAIN].herokuapp.com) to have protection from cookie tampering (reducing the caveat currently under https://docs.djangoproject.com/en/5.1/ref/csrf/#csrf-limitations).
     1Django's CSRF middleware should support signing and checking signatures on CSRF cookies.  This would enable sites running on a subdomain of a shared domain name (ex. [SUBDOMAIN].herokuapp.com) to have protection from cookie tampering (reducing the caveat currently under https://docs.djangoproject.com/en/5.1/ref/csrf/#csrf-limitations).
    22
    3 This setting should initially default to `False` for backwards comparability, although this could be changed in a future major release.
     3In order to do this in a backwards compatible way, Django should have a setting `CSRF_COOKIE_SIGNING ` that takes three settings:
     4
     51. `"disabled"` (default): CSRF token is not signed, but CSRF middleware accepts both signed and unsigned cookies.
     62. `"lenient"`: CSRF token is signed, and CSRF middleware accepts both signed and unsigned cookies.
     73.  `"strict"`: CSRF token is signed, and CSRF middleware only accepts signed cookies.
     8
     9This would enable people to upgrade their systems over two releases with no disruption to users, stepping from `"disabled"` to `"lenient"` in one release and `"lenient"` to `"strict"` in the second release.
     10
     11Django forum thread: https://forum.djangoproject.com/t/signing-the-csrf-cookie/35156/3
Back to Top