On Wed, 2010-09-08 at 10:22 +0200, Patryk Zawadzki wrote: > Again, it's not there to counter attacks. Think of it as the > equivalent of the "csrftoken" cookie which could be read in the exact > same way. I just wanted a couple of strings that are not likely to > change between form generation and submission.
The csrftoken cookie *cannot* be read in this situation by an attacker, since it is a cookie and will *not* be sent to the third party site, so they cannot create a form with a csrftoken which matches the user's cookie. (We are not talking about a MitM attack here, just a standard third party site that your browse to). Luke -- A mosquito cried out in pain: "A chemist has poisoned my brain!" The cause of his sorrow was para-dichloro- diphenyltrichloroethane Luke Plant || http://lukeplant.me.uk/ -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
