All geek questions in one place

Django CSRF Protection Questions

The documentation has an explanation here , but I had additional questions ..

Why is a dedicated CSRF cookie necessary?

If Django does not use invalid transactions, why not just require you to embed the session identifier inside the body of the POST request?

Why is CSRF nonce bound to a session id? Does it do Django?

This webpage seems to imply that the CSRF nonce should be bound to the session identifier (e.g. CSRF nonce = keyed hash of the session identifier). Why is this? Django bind its CSRF nonce with session id?

Why does Django use session-independent, non-transactional notes?

Is it due to a performance problem? Intuitively defined non-transactional transactions seem to be more secure in nature.

+6
source share
1 answer

The protection and the CSRF session are of a different nature, so placing them in the same cookie will be more difficult to maintain.

Here are some differences:

  • You can use CSRF protection without using sessions.
  • You can use CSRF before the session starts (i.e. you do not want to start the session before the user logs in due to performance, but you want to protect your contact form with CSRF).
  • Sometimes you want to delete session cookies, but probably never CSRF.
  • CSRF protection is needed for a single browser session (until you close the browser), but sessions can last even weeks.
  • You might want to have a cross-domain session, but you probably never need a cross-domain CSRF.
+3
source

Source: https://habr.com/ru/post/888606/

More articles:


All Articles