On Sep 23, 11:23 pm, Simon Willison <[EMAIL PROTECTED]> wrote: > CSRF attacks are a problem for systems where an action is only meant > to be available to a specific logged in user. This user is inevitably > identified by a unique cookie. This is normally a session cookie, > hence many CSRF protection mechanisms key their hidden form token off > the session cookie.
It turns out it's not that straight-forward after all: http://icanhaz.com/csrfpdf (PDF link, "Robust Defenses for Cross-Site Request Forgery") The above paper introduces the "login CSRF" attack, where CSRF is used to force a victim to log in to a site using /the attacker's/ credentials. The hope is that the user will then enter personally sensitive information which the hacker can harvest later on. Django's CSRF mechanism needs to be able to protect forms even in the absence of a unique-to-the-user cookie, which means it needs a way of setting its own cookies. We can either do this using the form.protect() or form.render_response() methods I advocated earlier, or we can use a middleware/view decorator combination. I think I'm leaning towards the view decorator / middleware option now. Cheers, Simon --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
