Re: [Django] #35796: Add signing support to the CSRF cookie (was: Add setting to sign CSRF cookie)

[Django]

#35796: Add signing support to the CSRF cookie
-------------------------------------+-------------------------------------
     Reporter:  Benjamin  Zagorsky   |                    Owner:  (none)
         Type:  New feature          |                   Status:  closed
    Component:  CSRF                 |                  Version:  dev
     Severity:  Normal               |               Resolution:  wontfix
     Keywords:  csrf cookie signing  |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Benjamin  Zagorsky):

 * summary:  Add setting to sign CSRF cookie => Add signing support to the
     CSRF cookie


Old description:

> Django should have a setting `CSRF_COOKIE_SIGNED` that uses the cookie
> signing infrastructure to sign the CSRF cookie.  This would enable sites
> running on a subdomain of a shared domain name (ex.
> [SUBDOMAIN].herokuapp.com) to have protection from cookie tampering
> (reducing the caveat currently under
> https://docs.djangoproject.com/en/5.1/ref/csrf/#csrf-limitations).
>
> This setting should initially default to `False` for backwards
> comparability, although this could be changed in a future major release.

New description:

 Django's CSRF middleware should support signing and checking signatures on
 CSRF cookies.  This would enable sites running on a subdomain of a shared
 domain name (ex. [SUBDOMAIN].herokuapp.com) to have protection from cookie
 tampering (reducing the caveat currently under
 https://docs.djangoproject.com/en/5.1/ref/csrf/#csrf-limitations).

 In order to do this in a backwards compatible way, Django should have a
 setting `CSRF_COOKIE_SIGNING ` that takes three settings:

 1. `"disabled"` (default): CSRF token is not signed, but CSRF middleware
 accepts both signed and unsigned cookies.
 2. `"lenient"`: CSRF token is signed, and CSRF middleware accepts both
 signed and unsigned cookies.
 3.  `"strict"`: CSRF token is signed, and CSRF middleware only accepts
 signed cookies.

 This would enable people to upgrade their systems over two releases with
 no disruption to users, stepping from `"disabled"` to `"lenient"` in one
 release and `"lenient"` to `"strict"` in the second release.

 Django forum thread: https://forum.djangoproject.com/t/signing-the-csrf-
 cookie/35156/3

--
-- 
Ticket URL: <https://code.djangoproject.com/ticket/35796#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019308a23ed5-921be0f8-bd3a-4229-9926-926d9626ce15-000000%40eu-central-1.amazonses.com.