On 23/07/12 08:07, Rohan Jain wrote: > ###CSRF Cookies (Time signed): > > - A random token generated by the server stored in the browser cookies. For > verification, every non get request will need to provide a signed version > of > the same token. This can then be verified on the browser side. > - This can be implemented by adding signing to the existing csrf token > system, > using the signing framework. > - A conventional method of CSRF checks, all the major frameworks have similar > systems. > - Signing takes care of the side effects due to cross domain behaviour of > cookies. > - Cons: > > - Relies on the browser cookies system, which introduces insecurities. > - Can be broken easily by having a parallel legitimate session, which > gives > a valid token, signature pair. This generator can then be used in MITM > attacks.
I don't understand the motivation for this part. Could you describe the attack scenarios where this method improves our security with respect to the current system? Regards, Luke -- "Pretension: The downside of being better than everyone else is that people tend to assume you're pretentious." (despair.com) Luke Plant || http://lukeplant.me.uk/ -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to email@example.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.