Hi (quotation below edited)
On Monday 29 July 2013 17:59:53 Matthew Lauber wrote: > On Sat, Jul 27, 2013 at 7:12 PM, Shai Berger <[email protected]> wrote: > > > > a) Use a signed cookie for csrftoken -- using Django's existing signing > > facility[4], this means signing the cookie with the SECRET_KEY from the > > settings; so that an attacker cannot set arbitrary cookies, and changing > > the SECRET_KEY after a compromise immeiately invalidates csrftoken > > cookies. > > > > b) Optionally allowing time-limited CSRF tokens. Such tokens will be > > generated by adding a parameter of maximum age to the csrftoken tag, and > > by marking view methods (specifically with a decorator, or globally with a > > setting) as requiring timed tokens. When this is used, the posted token > > value will need to be different from the cookie value -- to keep advantage > > 2, the cookie will still be constant, and expiry time will only be present > > in the submitted token[5]. This method breaks the current way we do > > CSRF-protected AJAX, so it will likely stay optional (and opt-in). > > As I understand (a), it sounds like an excellent scheme, and something that > would be simple to update behind the scenes without unduly affecting > application code. I'm more ambivalent about (b). Have you or anyone else > started work on a patch/pull-request for this? > Not that I'm aware of, but (a) is not a new idea, so there may be something out there. Either way, I do not intend to force code-changes on any user with this. Shai. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
