The base CSRF secret is per-user, not global. So while you could write a script to hit a page over and over and harvest CSRF tokens, those tokens would only be valid for the session/user associated with your script. Attempting to use them to execute a CSRF attack against another user would fail (since the other user would have a different base CSRF secret, and therefore the tokens you'd harvested would not be valid for that user).
To generate a valid token for another user, you would need to see valid tokens for that user. The only way to do this (assuming a properly-configured site using HTTPS) is to already have compromised that user's account. In which case, it doesn't matter that you can CSRF them, because you've already fully compromised their account. -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAL13Cg_FA4U-FDbJGfn0g%2B8UJ_BxU6B1cL1eEJek9g9to68SgQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
