On Wed, Feb 9, 2011 at 11:23 AM, Brian Craft <bc...@thecraftstudio.com> wrote: > I notice that the csrf token is not secure, i.e. the Set-Cookie is > constructed w/o the "secure" option, so the browser will send it > in-the-clear. It's trivial, then, for a 3rd party to discover the csrf > token. > > Am I missing something?
The CSRF token isn't a cookie (or at least, it shouldn't be) -- it's a form field. The security principle behind the CSRF token isn't so much that it's not discoverable, as much as that an attacker can't construct a link that gets your browser to submit it to the server. If you site is under SSL (you're talking about secure-only cookies, so I presume that this is the case,) then the CSRF token should only appear in the HTML forms that the server sends to your browser, and the POST requests that your browser makes back, both of which should be protected. If the CSRF token was set in a cookie, then it would be sent with every single request that the browser made, and it really would be trivial for an attacker to get you to make a valid request of the web server, whether he could discover the contents of that cookie or not. (SSL wouldn't even help; he could construct an https:// link just as easily.) That's not how it's supposed to be set up, though. -- Regards, Ian Clelland <clell...@gmail.com> -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
