Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Does django csrf token must be unique on every request?

I have a question about Django CsrfViewMiddleware mechanism. I know, that Django:

  1. Set new csrftoken cookie on every request.
  2. Check, than X-CSRFToken header value (or hidden input "csrfmiddlewaretoken") must be equals to csrftoken cookie.

But Django doesn't check whether token has been used already (example from CsrfViewMiddleware):

if not constant_time_compare(request_csrf_token, csrf_token):
            return self._reject(request, REASON_BAD_TOKEN)

So I can POST multiple requests with the same token (I tested it on my server).

Is it standart behavior, or I have incorrect Django setup? Thanks.

like image 369
akozin Avatar asked Aug 26 '14 13:08

akozin


1 Answers

CSRF tokens are not consumed.

To elaborate on Germano's comment, the reasoning behind it is simple:

Multiple browser windows / tabs and REST

Essentially, Django would have to create (and persist, and, in distributed 'cloud' deployment, synchronize) new CSRF tokens for every single page that has been rendered in the past. Essentially, this would easily lead to Denial of Service attacks, where you cannot assume any sensible expiration for the CSRFs.

like image 83
qdot Avatar answered Oct 01 '22 01:10

qdot