Hi Kent,
> Just so I am not missing a class of attacks here: how important is CSRF
> protection for non-session applications? I have always viewed CSRF
> chiefly as an attack where you try to fool somebody who is authenticated
> (and therefore has privileges in the system) to ask the system to
> d
> I had forgot about the Referer header check. It seems that it
> would stop the subdomain-to-subdomain CSRF attacks as long as
> the site is only using HTTPS, wouldn't it?
Yep. I think the balance there makes sense. It would be nice to figure
out a good way to do optional checking for non-HTTPS,
Paul McMillan writes:
> In the meantime, if you use SSL on each of your subdomains, you get
> strict checking of the Referer header for CSRF, which mitigates that
> particular avenue of attack. Since you're using sessions and auth, you
> should be using SSL, and so the protection is mostly free.
> The applications I have in mind (where the "subdomain can set cookies
> for other subdomains" could hurt) use django.contrib.auth and thus
> sessions as well. Thus, they already have to do a session lookup for the
> auth check, haven't they? Could that be reused for the CSRF check?
Yes. Unfortun
Paul, thanks for your reply! Comments inline:
Paul McMillan writes:
>> Would it not be possible to move the second instance of the nonce (that
>> will be compared to the form field) from a cookie to a session variable
>> (at least when a session is available)? Would that result in other
>> probl
> Would it not be possible to move the second instance of the nonce (that
> will be compared to the form field) from a cookie to a session variable
> (at least when a session is available)? Would that result in other
> problems instead?
Yes it's possible, and that's how our CSRF protection worked
Hi,
> Today we've released Django 1.3.1 and Django 1.2.6 to deal with
> several security issues reported to us. Details of these issues and
> the releases, along with several important advisory notes, are
> available in the blog post on djangoproject.com:
>
> https://www.djangoproject.com/weblog/
