#9977: CSRFMiddleware needs template tag
---------------------------------------------+------------------------------
Reporter: bthomas | Owner: lukeplant
Status: assigned | Milestone:
Component: Uncategorized | Version: SVN
Resolution: | Keywords: csrf
Stage: Design decision needed | Has_patch: 1
Needs_docs: 1 | Needs_tests: 0
Needs_better_patch: 1 |
---------------------------------------------+------------------------------
Comment (by Glenn):
What bugs me is that swapping out CSRF cookies (with cross-site cookies or
MITM) feels like a regression. Before, if you swapped out the CSRF token,
you had to do so by swapping out the whole session, so you're logging the
user out. That meant you could do login CSRF this way (which you could do
anyway), but nothing else.
> Django it will work slightly differently as a session is created before
the user logs in, not on the POST request that contains the authentication
credentials, which complicates applying that paper directly.
I havn't read the whole thing (like most papers, it's so long the
important points are obscured), but the idea is something like this (which
is a bit easier to think about now that it's been in the back of my mind
for a day):
#1: In CsrfViewMiddleware.process_view, if a session exists and it has a
known CSRF token, it must match the real CSRF cookie. If it doesn't, the
CSRF cookie may have bee nswapped out; reject the request (and flush the
session to recover the user).
#2: In CsrfViewMiddleware.process_response, if there's an existing
session, and it doesn't have a stored CSRF value, copy it.
(To be clear: The CSRF cookie remains the authoritative value of the CSRF
token. The value in the session, if any, only validates the CSRF cookie,
to prevent swaps.)
This would handle session.flush correctly (eg. on login and logout). When
auth.logoout flushes the session, the CSRF cookie is untouched. When we
get to CVM.process_response, the existing CSRF value will be immediately
copied to the new session.
This would handle session expiry correctly. After session expiry, the
CSRF cookie remains. If the user then makes a new request which creates a
new session, the existing CSRF cookie is then added to the new session.
It would also keep contrib.session optional. If sessions aren't being
used, then security against CSRF cookie tampering is lost, but protection
for the major cases (remote CSRF) still works.
I think this would protect against both the HTTP/MITM attack and same-
domain CSRF (not including login CSRF). Let me know if you see any holes.
--
Ticket URL: <http://code.djangoproject.com/ticket/9977#comment:32>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
