I don't think I explained this well. Storing sensitive data in the session cookie is only a problem when the data is sensitive to inspection by your _legitimate_ users. For instance, if you were making a gambling game you wouldn't want to store information about the game state that isn't visible on the gambling table, e.g. the dealer's hand. With that information, the player could cheat.
The CSRF is often rendered in your forms as a hidden field, which means it's always available by simple inspection of the page source. It's not sensitive in the same way. The CSRF protection comes from ensuring that a cross site request cannot obtain an CSRF token and cause a subsequent request with the corresponding session cookie. Without cross-origin credentialed requests the attacker cannot send the session cookie. Even if an attacker can't decrypt the cookie, so long as they can send it they can pass the CSRF check. If your session cookie can be hijacked it's a problem. To prevent that you need guard against cross-site scripting vulnerabilities (sanitize user-submitted HTML and such) and use SSL. On Wed, Apr 23, 2014 at 9:47 AM, Randall Leeds <[email protected]>wrote: > I could be wrong, and would love to be corrected, but storing the CSRF > token in a session cookie doesn't seem problematic to me since the cookie > should only be readable by your origin. > > It would only become a concern of you started allowing cross origin > requests with credentials. > On Apr 23, 2014 8:09 AM, "Anders Wegge" <[email protected]> wrote: > >> As I read the documentation for SignedCookieSessionFactory, the data >> stored in the session is not encrypted. So storing a CSRF token in the >> session Cookie is not a good option. Pyramid_beaker seem to have been >> deprecated with release 1.5, so which options are the best for a site with >> very few actions requiring CSRF and other session data. My first thought is >> to pickle the session data, and storing them in a blob in the user >> database, but if there is something simpler and/or more elegangt available, >> I'd like to hear the alternatives. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "pylons-discuss" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at http://groups.google.com/group/pylons-discuss. >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
