#9977: CSRFMiddleware needs template tag
---------------------------------------------+------------------------------
Reporter: bthomas | Owner: lukeplant
Status: assigned | Milestone:
Component: Uncategorized | Version: SVN
Resolution: | Keywords: csrf
Stage: Design decision needed | Has_patch: 1
Needs_docs: 1 | Needs_tests: 0
Needs_better_patch: 1 |
---------------------------------------------+------------------------------
Comment (by Glenn):
One more observation: if you can tamper with a user's CSRF cookie, you can
tamper with their session cookie too. In other words, if you can do this,
you don't need login CSRF at all. Log in a session yourself, and then set
the victim's session to the session you already logged in. So, the
combination of "MITM/same-site cookies" + "login CSRF" is a moot issue.
Session replacement is still something that would be nice to protect
against, but that's a session security issue and irrelevant to CSRF (if we
implement session-CSRF-locking as above).
--
Ticket URL: <http://code.djangoproject.com/ticket/9977#comment:33>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
