Comparing two cookies defeats the entire purpose of csrf protection. Csrf is meant to make it difficult for someone who does not have access to your session to forge requests on behalf of that session. Since cookies are almost always sent along with cross origin requests it means you cannot use them. The user agent must create a payload in the body or a non-cookie header containing the token proving that the creator of this request actually has access to the session information. Session in this paragraph means a client of a domain.
On Tue, Dec 12, 2017 at 11:32 Jonathan Vanasco <[email protected]> wrote: > There's not enough here for me to guess why, but I wanted to note in > Pyramid 1.9.x you can store the CSRF in a cookie (instead of in the > session). It may be worth upgrading to use the new storage policy (and > compare two cookies) before fixing this. > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/pylons-discuss/a0ed35da-c332-4108-a277-de668bd54e46%40googlegroups.com > <https://groups.google.com/d/msgid/pylons-discuss/a0ed35da-c332-4108-a277-de668bd54e46%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAKdhhwEdHvPuO2TEEeS7RKw1QiVchxRCPesROCfHr1Mu8N-gRQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
