Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

P.S. i am not into django, but if you have a clue how to contact authors... please tell them to put CSRF token into session cookie. It must be fixed in the first place, BREACH is 100 times harder and longer, while cookie forcing is completely viable attack with active MITM. Or perhaps it was fixed? I checked it on bitbucket the last time..


Again, we believe that sessions and CSRF protection can be orthangonal (and that there are benefits to doing so). If you can prove otherwise, let us know!

There's also https://github.com/mozilla/django-session-csrf, an alternate CSRF implementation by Mozilla that does use session-linked CSRF tokens. So if you insist on "tokens must be session-linked", you can use that instead.


sorry, I think in terms of Rails, in rails a session is a _site_sess cookie... i am not sure how it works in Django but what here is a post about it http://homakov.blogspot.com/2013/06/cookie-forcing-protectio...

https://github.com/mozilla/django-session-csrf seems ok, should be default


"i am not sure how it works in Django"

Perhaps you should do a little research before proclaiming things insecure?


bitbucket is vulnerable > django has a problem

if it's not enough:

some websites from http://www.djangosites.org/ are vulnerable > django has a problem


and yes, they clearly state it was made as a solution to cookie forcing:

>Your site is on a subdomain with other sites that are not under your control, so cookies could come from anywhere.

it should be default, for sure.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: