Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Multiple csrftoken cookies, is it a RFC requirement to only have 1 csrftoken?

Tags:

python

http

cookies

django

session-cookies

I'm trying to find an answer to the following.

  • Under what circumstances would the browser store multiple csrftoken cookies?
  • Is it the correct, or technically valid functionality?
  • And where in the RFC/security documentation passing an array, or trying an array of csrftoken exists, or is technically valid?

I've attached an example screenshot of what I'm seeing multiple csrftoken with various cookie paths, and expiry times ( multitenancy, and various form paths ).

enter image description here

Related:

  • https://github.com/django/django/blob/5a68f024987e6d16c2626a31bf653a2edddea579/django/middleware/csrf.py#L324
  • https://github.com/django/django/blob/5a68f024987e6d16c2626a31bf653a2edddea579/django/middleware/csrf.py#L191
  • Cookie path and its accessibility to subfolder pages
like image 596
jmunsch Avatar asked Dec 27 '19 17:12

jmunsch

People also ask

What is the difference between session cookie and CSRF token?

This is a token generated by your server and provided to the client in some way. However, the big difference between a CSRF token and a session cookie is that the client will need to put the CSRF token in a non-cookie header (e.g., XSRF-TOKEN) whenever making a POST request to your backend.

How do you solve CSRF problems with cookies?

There are different ways to do things (and some are framework specific). The two token process also serves as a good way to solve the CSRF problem. The token in the cookie and on the page are cryptographically linked. So the server has to do this check and proceed with processing this request if everything is good.

How are CSRF tokens validated?

This is the most common way to validate CSRF tokens, however, there are scenarios where CSRF tokens do not need to be tied to sessions. An example of this is the double-submit technique. In a CSRF attack, the attacker causes the victim to send a request (the Cross-Site Request that is being Forged) to the server.

Can the frontend read the XSRF-token cookie from the backend?

However, if your backend is at api.yoursite.com and your SPA is at www.othersite.com, then your frontend will not be able to read the XSRF-TOKEN cookie and you’ll want to go a different route with your CSRF token. Next, the only way this works is if our JavaScript code has access to the cookie.

1 Answers

It is not a requirement to only have one token, but a more common approach would be to update/refresh CSRF token cookie on a single root path: /.

It really depends how your server interprets the potential forms posts that follow each token request. An easy approach is to store a newly generated token on a user's session storage (in memory or database) before setting the cookie. Then compare these two again on the server when the user's form POST arrives.

  1. The browser stores multiple token cookies when each HTTP GET request (which responds with a token) specifies a custom cookie path. A more common approach would be to have one cookie for the purpose of protecting against CSRF.

  2. You could make your tokens path specific, but this would not make your token more secure.

  3. Testing token validity is entirely up to you.

Hope this helps.

like image 170
gwest7 Avatar answered Oct 14 '22 12:10

gwest7
Sign in to Comment

Related questions

Connect to Proxy (SOCKS) Database in python
tensorflow2 error - failed to create a plugin/profile/ directory in function call tf.summary.trace_export
Run ipdb with seperate terminal in pycharm
How to create dummy variables using pandas with reference to one value?
Python Pyglet mouse events don't call on_draw() nor make changes in window
one-hot encode of multiple string categorical features using Spark DataFrames
Using Python or TypeScript to transform text that I select in VSCode
Pandas: How to create a column that indicates when a value is present in another column a set number of rows in advance?
Getting error while reading from S3 server using pyspark : [java.lang.IllegalArgumentException]
Is there a way to combine RBAC with LDAP in Apache Airflow?
QFileDialog always opens behind main window
Dash: progress bar for reading files
GEKKO Infeasible system of ODE equations of a fed-batch Bioreactor
Django development server stops after logging into admin
Difficulty transferring large files using fabric v2 / paramiko
LSTM RNN to predict multiple time-steps and multiple features simultaneously
How to show only the outline of a bar plot matplotlib
How to get top k accuracy in semantic segmentation using PyTorch?
"Bin labels must be one fewer than the number of bin edges" after passing pd.qcut duplicates='drop' kwarg
Error loading Python lib '/tmp/_MEItueAuk/libpython3.7m.so.1.0': dlopen: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.28' not found

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!