I'm not an expert in security, but here is how I would answer the question. The CSRF approach that Django 1.2 implements would prevent *most* of these problems since the attack wouldn't be able to POST new data to the site by stealing the cookie alone. IBM applies CSRF tags to each step the user interacts with on the entire site, in a technique known as continuations<http://www.ibm.com/developerworks/library/j-contin.html>. These techniques only prevent *most* attacks though, the session can still be hijacked just with a reduced window of opportunity.
I say *most* because if you can snoop on the HTTP traffic, you theoretically could capture the in-plain-text CSRF token the server handed the user once they were generated one (from being on a user account to reset my password page). An attacker could form a valid POST using the CSRF just captured and I think it would work. Not even validating that the IP is the same for each CSRF would solve the problem either considering these two users are probably going to be in a coffeeshop, behind a NAT. One possible solution would be to have some kind of hardware attestation or browser attestation and tie session info to that. If anyone has any thoughts on how this could be done, please let me know. Brian On Mon, Oct 25, 2010 at 6:47 AM, cootetom <[email protected]> wrote: > Hi, a firefox extension was recently released to grab session ID > cookies from a private network for the popular sites like facebook etc > You can read about it here http://goo.gl/x4Z1 > > I was wondering how Django sits with this type of attack. I know there > are the CSRF tokens, do they prevent this though? I thought they were > just for form posts? > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<django-users%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/django-users?hl=en. > > -- Brian Bouterse ITng Services -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
