Hi Mike,
If an attacker can set cookies on your domain, you've got much larger
problems than whether or not they know the nonce. Even if you do
change the nonce on login, you are still vulnerable to multiple forms
of session fixation attacks. To quote myself from an earlier mail to
this list:
htt
Hi there,
I'd like to discuss the behavior of the 'csrftoken' cookie that is used
for django's CSRF protection [1].
I noticed that the cookie content does not change when performing a login
(like the 'sessionid' cookie does).
According to [1] this seems to be the documented behavior: "This cookie
