Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Django CSRF Cookie -- why doesn't it expire at browser close?

Tags:

django

csrf

Django allows you to specify that the session expires at browser close (with some caveats for Chrome). Why doesn't it do that for the CSRF cookie?

I ask because it seems to me that the CSRF token is vulnerable to being leaked (e.g., by mistakenly putting it in a post to an external site), and this would be a mitigation for that. Am I misunderstanding something?

like image 244
AdamC Avatar asked Oct 04 '13 13:10

AdamC


People also ask

How does Django handle CSRF?

Django has a {% csrf_token %} tag that is implemented to avoid malicious attacks. It generates a token on the server-side when rendering the page and makes sure to cross-check this token for any requests coming back in. If the incoming requests do not contain the token, they are not executed.

How long do CSRF tokens last?

It remains valid for 24 hours.

How do I ignore CSRF token in Django?

1. Using @csrf_exempt decorator. The is will import the @csrf_exempt decorator that allows you to easily disable CSRF validation for specific views. Just place @csrf_exempt decorator immediately above the view for which you do not want CSRF protection.


1 Answers

I'll repost my answer from the developer's list that Carl linked, so that stackoverflow has it too:

If the cookie were set to expire at browser close, it would cause CSRF errors for users who closed a browser (or bookmarked a page with a form on it) and then loaded that page from a browser cache and submitted the form. I'm ambivalent about whether this use case is worth supporting (it may be important on mobile devices, for example), but I don't believe that setting the cookie to expire on browser close provides much security benefit to an otherwise properly configured site (HTTPS, HSTS, etc.).

Django's CSRF implementation differs[1] from many others which store CSRF information alongside session information on the server. The CSRF mechanism functions by matching a token provided in a form with a token provided as a cookie in the browser. If you set the cookie to 'zzz', it will still function perfectly well. The security comes from the fact that an attacker cannot set the cookie, not that it happens to contain any specific cryptographic value.

If the concern is that an attacker could access a user's physical computer between sessions and steal a CSRF token, setting it to expire at browser close would not prevent an attacker from inserting a cookie of known value that would be used during the next session. I'm not convinced we can secure the tokens of a user whose computer has been physically accessed by an attacker.

Still, if it can be convincingly demonstrated that setting the cookie to expire at browser close would not break existing use cases (mobile browsers are my chief concern) I'd be open to changing the default behavior. We generally consider it a bug if any non-malicious user can, through innocent behavior, trigger the CSRF warning.

[1] Django's CSRF implementation usually sets off all kinds of false alarms in most pen-tester tools, since it doesn't work exactly the same way other implementations do, and isn't tied to the session cookie.

like image 144
Paul McMillan Avatar answered Nov 15 '22 02:11

Paul McMillan