[Django] #33529: Possibly Incorrect statement in the docs about CRSF tokens

Sat, 19 Feb 2022 07:45:50 -0800 

#33529: Possibly Incorrect statement in the docs about CRSF tokens
----------------------------------------+------------------------
               Reporter:  Michael       |          Owner:  nobody
                   Type:  Bug           |         Status:  new
              Component:  contrib.auth  |        Version:  4.0
               Severity:  Normal        |       Keywords:
           Triage Stage:  Unreviewed    |      Has patch:  0
    Needs documentation:  0             |    Needs tests:  0
Patch needs improvement:  0             |  Easy pickings:  0
                  UI/UX:  0             |
----------------------------------------+------------------------
 https://docs.djangoproject.com/en/4.0/ref/csrf/ says:

 > Note
 >
 > The CSRF token is also present in the DOM, but only if explicitly
 included using csrf_token in a template. The cookie contains the canonical
 token; the CsrfViewMiddleware will prefer the cookie to the token in the
 DOM. Regardless, you’re guaranteed to have the cookie if the token is
 present in the DOM, so you should use the cookie!

 How from my testing, I think it prefers the DOM token to the cookie. You
 can prove this behaviour as follows:

 1. Log out
 2. Open two tabs to the login screen; tab A and tab B
 3. Log in on tab A, this will destroy the Anonymous session, and create a
 new session.
 4. Then switch to tab B and Log in
 5. You will get a CSRF Error because it is using the DOM token linked to
 the anonymous sessions (that was destroyed), not the cookie.

 I think instead of correcting the docs, the cookie first behaviour is
 desired. However with the cookie first approach, why does one need the
 CSRF DOM token (`{% csrftoken %}`)?

 I can only think of the unusual case when one is performing AJAX requests
 with cookies inaccessible via javascript.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/33529>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/053.09e6d1e392f4b581f6d34f9dcdad6a5f%40djangoproject.com.

Reply via email to