Re: CSRF Token: is it okay if it is attached to my url when I enter my form?

On Friday, October 3, 2014 6:26:43 AM UTC-7, Sabine Maennel wrote:

Please help: I am confused whether it is okay that it is showing in the url like this:

http://netteachers.de/bewerbung/formular?csrfmiddlewaretoken=2jKsplZsQx5XpBfltUaDmgJjhRiCllxQ

This happens when I enter my form ( a CreateView Model Form)? Is that oky or a security risk of any kind?

It sounds like you fixed the underlying issue, but I wanted to answer the original question anyway.

I think it's less than ideal to expose the CSRF token in the URL. It's true that your users can view source and see the token, but putting it in the URL parameters means it will be in the browser history and may be logged on whatever servers are between the user's browser and your server. Although it's true that servers along the way could look at POST data, they shouldn't be logging it. I guess if you wanted to be truly secure you'd use HTTPS (or sneakernet), but it's good to minimize the possibility for attacks.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/36714e8a-5647-4fef-9fd1-59ab43e8e982%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.