Should the django csrf icon be unique with every request?

Question

Should the django csrf icon be unique with every request?

I have a question about the Django CsrfViewMiddleware engine. I know Django:

Set a new csrftoken cookie for each request.
Check that the value of the X-CSRFToken header (or the hidden input "csrfmiddlewaretoken") should be equal to the csrftoken cookie.

But Django does not check if a token has already been used (example from CsrfViewMiddleware):

if not constant_time_compare(request_csrf_token, csrf_token): return self._reject(request, REASON_BAD_TOKEN)

So, I can POST several requests with the same token (I tested it on my server).

Is this standard behavior, or am I having the wrong Django configuration? Thanks.

+5

python django csrf-protection django-csrf

akozin Aug 26 '14 at 13:50

source share

1 answer

qdot · Accepted Answer · 2014-08-27T12:28:41+0000

CSRF badges are not consumed.

To comment on a Germano comment, the reasoning behind is simple:

Multiple browser windows / tabs and REST

In essence, Django will have to create (and save, and distribute cloud deployments, synchronize) new CSRF tokens for each individual page that has been displayed in the past. Essentially, this will easily lead to denial of service attacks where you cannot accept a reasonable ending for CSRF.

Should the django csrf icon be unique with every request?

More articles: