In the classic meaning of CSRF, you are right. But if javascript from a malicious site can get access to all cookies in the browser, it would be trivially simple to construct a XmlHttpRequest, that contain the correct CSRF token. While most browsers are sandboxing data, I do not want to rely on that.
On Wednesday, April 23, 2014 6:47:58 PM UTC+2, Randall Leeds wrote: > > I could be wrong, and would love to be corrected, but storing the CSRF > token in a session cookie doesn't seem problematic to me since the cookie > should only be readable by your origin. > > It would only become a concern of you started allowing cross origin > requests with credentials. > On Apr 23, 2014 8:09 AM, "Anders Wegge" <[email protected] <javascript:>> > wrote: > >> As I read the documentation for SignedCookieSessionFactory, the data >> stored in the session is not encrypted. So storing a CSRF token in the >> session Cookie is not a good option. Pyramid_beaker seem to have been >> deprecated with release 1.5, so which options are the best for a site with >> very few actions requiring CSRF and other session data. My first thought is >> to pickle the session data, and storing them in a blob in the user >> database, but if there is something simpler and/or more elegangt available, >> I'd like to hear the alternatives. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "pylons-discuss" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected]<javascript:> >> . >> Visit this group at http://groups.google.com/group/pylons-discuss. >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
