On Sep 23, 11:23 pm, Simon Willison <[EMAIL PROTECTED]> wrote: > CSRF attacks are a problem for systems where an action is only meant > to be available to a specific logged in user. This user is inevitably > identified by a unique cookie. This is normally a session cookie, > hence many CSRF protection mechanisms key their hidden form token off > the session cookie.
There's another option that avoids the need for any cookies at all: generating a persistent one-use-only token when a form is saved, storing that in the database and only allowing submissions that include a token that was previously assigned. This avoids any need for cookies at all, but has the serious disadvantage that you end up with potentially thousands of useless tokens stored in your database. You can clear these out periodically but it's still overhead that it would be nice to avoid. Cheers, Simon --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
