On 23/07/12 08:07, Rohan Jain wrote:
> ###CSRF Cookies (Time signed):
>  - A random token generated by the server stored in the browser cookies. For
>    verification, every non get request will need to provide a signed version 
> of
>    the same token. This can then be verified on the browser side.
>  - This can be implemented by adding signing to the existing csrf token 
> system,
>    using the signing framework.
>  - A conventional method of CSRF checks, all the major frameworks have similar
>    systems.
>  - Signing takes care of the side effects due to cross domain behaviour of
>    cookies.
>  - Cons:
>     - Relies on the browser cookies system, which introduces insecurities.
>     - Can be broken easily by having a parallel legitimate session, which 
> gives
>       a valid token, signature pair. This generator can then be used in MITM
>       attacks.

I don't understand the motivation for this part. Could you describe the
attack scenarios where this method improves our security with respect to
the current system?



"Pretension: The downside of being better than everyone else is
that people tend to assume you're pretentious." (despair.com)

Luke Plant || http://lukeplant.me.uk/

You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to 
For more options, visit this group at 

Reply via email to