Hi, I have recently updated a fairly high-traffic website from Django 1.0 to 1.3. I added the csrf token to every form on the website, but nevertheless we regularly hear back from users that get the dreaded 403 error on form submits. I added some logging to the csrf error view (thanks Sentry to make this so easy), and what I found out is that the failing requests have no cookies at all. After observing this for a couple of days, it seems that ~5% of our users have blocked cookies completely. This amounts to dozens of CSRF failures a day that are not attacks, but normal users trying to submit a contact form or some such.
After thinking about this for a while, I came up with the following idea: CSRF attacks make use of the session cookie to make malicious requests in the name of the user. But in the case of the user blocking cookies, there is no session cookie to abuse. So what if I modified (through inheritance) the behavior of the CsrfViewMiddleware in such a way that it accepts requests that have no cookies at all? Would that open any attack vectors? Kind regards, Benjamin -- You received this message because you are subscribed to the Google Groups "Django users" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/vL-Nnvm9k9QJ. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
