Thursday, April 28, 2016

Re: Csrf: when is it updated/generated?

it says "A CSRF cookie that is set to a random value (a session independent nonce, as it is called),"  and later "For security reasons, the value of the CSRF cookie is changed each time a user logs in."

The value is the same in the two tabs because i've not performed the login, right? (and it reads the data from the cookie file) but from the first sentence it seems that every time i refresh the page (so i open it in a new tab) it should change (but if the value is in the cookie then it's not).



On Thursday, April 28, 2016 at 6:30:15 PM UTC+2, Tim Graham wrote:
Did you read https://docs.djangoproject.com/en/stable/ref/csrf/#how-it-works ?

On Thursday, April 28, 2016 at 11:24:40 AM UTC-4, Stefano Tranquillini wrote:
Hello,
i was running a test on a website i dev with django and the system pointed out that "There are indications that attempts to protect against CSRF is in place. By using two different sessions the same tokens were retrieved. This may indicate a buggy behavior in the protection mechanism." . By checking it out  I opened two tabs of the login page and both have the same csfr token. This sounds strange to me, but maybe is not.
I've tried to look into the doc or in the group but I can't figure out if it's an intended behaviour or what.

When is a csfr generate/updated?

thanks.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/59c3de10-654b-403a-8c11-df6a778a8f53%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment