Hey Anders, Storing the CSRF token in the cookie is not an issue, unless an attacker is able to read out the cookie and thus gain the CSRF token, they won’t be able to get access to it at all, even if you stored the CSRF token server side, if an attacker was able to get access to the cookie (using cross site scripting or code injection or a variety of other techniques…) even if you stored the CSRF token itself server side they would have a unique token that is tied to that server side session storage, and thus be able to pass any CSRF checks anyway (since they can read your cookies, they can also read the page itself and retrieve the CSRF token, since it is stored in a form that is submitted to the server).
Using the SignedCookieSessionFactory is perfectly safe and sane when all you are doing is storing limited data such as the CSRF token. Bert On Apr 22, 2014, at 14:16 , Anders Wegge <[email protected]> wrote: > As I read the documentation for SignedCookieSessionFactory, the data stored > in the session is not encrypted. So storing a CSRF token in the session > Cookie is not a good option. Pyramid_beaker seem to have been deprecated with > release 1.5, so which options are the best for a site with very few actions > requiring CSRF and other session data. My first thought is to pickle the > session data, and storing them in a blob in the user database, but if there > is something simpler and/or more elegangt available, I'd like to hear the > alternatives. >
smime.p7s
Description: S/MIME cryptographic signature
