The base CSRF secret is per-user, not global. So while you could write a script to hit a page over and over and harvest CSRF tokens, those tokens would only be valid for the session/user associated with your script. Attempting to use them to execute a CSRF attack against another user would fail (since the other user would have a different base CSRF secret, and therefore the tokens you'd harvested would not be valid for that user).
To generate a valid token for another user, you would need to see valid tokens for that user. The only way to do this (assuming a properly-configured site using HTTPS) is to already have compromised that user's account. In which case, it doesn't matter that you can CSRF them, because you've already fully compromised their account. -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAL13Cg_FA4U-FDbJGfn0g%2B8UJ_BxU6B1cL1eEJek9g9to68SgQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
