#34182: Is there a reason only the headers are checked when using the csrf
token?
----------------------------------+--------------------------------------
Reporter: Joon Hwan 김준환 | Owner: nobody
Type: New feature | Status: closed
Component: CSRF | Version: dev
Severity: Normal | Resolution: invalid
Keywords: csrf, cookie | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
----------------------------------+--------------------------------------
Changes (by Mariusz Felisiak):
* cc: Florian Apolloner (added)
* status: new => closed
* resolution: => invalid
Comment:
As far as I'm aware, using only the cookie, is not sufficient. Quoting
[https://code.djangoproject.com/ticket/23040#comment:1 Florian]: ''"Django
compares the token from the cookie (which an attacker can't control) to
the header/post-data which the attacker can control. Hence you will always
need the cookie and the header or post-data."''
--
Ticket URL: <https://code.djangoproject.com/ticket/34182#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/01070184ad2b1c79-a1ef8aec-a72a-4eb4-8a72-00db577c42c8-000000%40eu-central-1.amazonses.com.
