Opened 13 years ago
Last modified 4 years ago
#16859 closed New feature
Allow storing CSRF tokens in sessions — at Version 13
Reported by: | Paul McMillan | Owned by: | Raphael Michel |
---|---|---|---|
Component: | CSRF | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | cmawebsite@…, mail@… | Triage Stage: | Accepted |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
Storing the CSRF token in a cookie (Django's default) is safe, but storing it in the session is common practice in other web frameworks and therefore sometimes demanded by security auditors.
Change History (12)
comment:2 by , 10 years ago
Cc: | added |
---|
comment:3 by , 10 years ago
Version: | 1.3 → master |
---|
comment:5 by , 9 years ago
Cc: | added |
---|
I submitted a first version of a patch for session storage of CSRF tokens: https://github.com/django/django/pull/5600
I'd love to have some review on this, but I'm fine with postponing the merge after Shai landed his changes to CSRF handling, as those two will get merge conflicts and his one will be the bigger change.
comment:6 by , 8 years ago
Has patch: | set |
---|
comment:8 by , 8 years ago
Has patch: | unset |
---|
comment:12 by , 8 years ago
Currently the CSRF middleware performs strict Referer
header checking, to (a) mitigate MITM attacks that set a cookie via plain HTTP, and (b) prevent issues with malicious subdomains.
If the new CSRF_USE_SESSIONS
is set to True
, does that mean both of those issues can no longer occur, and so the strict referrer checking is then not required? (Along the lines of: https://github.com/django/django/pull/5600#issuecomment-154797097)
comment:13 by , 4 years ago
Description: | modified (diff) |
---|---|
Owner: | changed from | to
Status: | new → assigned |
Summary: | CSRF Improvements → Allow storing CSRF tokens in sessions |
Type: | Cleanup/optimization → New feature |
I'm going to retitle this ticket for the work that was done and close it.
If there's remaining work from items in the old description (below), let's open new tickets to track them individually.
This is a ticket to keep track of general CSRF improvements we want to add to Django. This includes:
- #16010 - add Origin checking
- Optionally tie CSRF to sessions [done in this ticket]
- Use signing to improve CSRF (maybe with sessions)
- Improve domain/host checking - deal with the subdomain to subdomain problem
In case other people at the #duth sprint are looking into this: Shai Berger is working on a new approach to generating the tokens and I'm working on the usage of sessions for token storage.