Databases
StackOverflow2013
Postsdbo
POdjango: csrftoken COOKIE vs. csrfmiddlewaretoken HTML Form value
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POdjango: csrftoken COOKIE vs. csrfmiddlewaretoken HTML Form value
    primarykey
    data
    text
    <p>Trying to learn about security. Curious about why in django when submitting a form (a POST), there are 2 separate "elements" that contain the same csrf token value:</p> <pre><code>- the csrftoken cookie: COOKIES:{'csrftoken': '1effe96056e91a8f58461ad56c0d4ddc', ... - the Form's hidden csrfmiddlewaretoken: POST:&lt;QueryDict: {u'csrfmiddlewaretoken': [u'1effe96056e91a8f58461ad56c0d4ddc'], ... </code></pre> <p>If django is inserting the hidden csrf field/value to the form when it sends it to the browser (GET), and expects the same value back when receiving the POST, then why is it necessary to also set a cookie?</p> <p>A more general question, if either of them was missing (form, cookie), could you provide a scenario that explains how this could be exploited (security attack)?</p> <p>By the way, I ran a couple of simple tests to make sure that django was checking the validity of each one separately and indeed it is: </p> <ul> <li><p>if I change the form's csrf value before doing the POST, I get this debug error back: </p> <p>CSRF token missing or incorrect</p></li> <li><p>if I delete the csrf cookie before doing the POST, I get a different error back: </p> <p>CSRF cookie not set.</p></li> </ul> <p>I'm just familiar with basic csrf concepts and want to learn how django helps protect against these types of attacks.</p> <p>Thanks,</p> <p>jd</p> <hr> <p>update: </p> <p>Although both answers (S.Lott and M. DeSimone) were informative and make sense, I thought that there could be a more detailed explanation for requiring the presence of the security value in both the form and in the cookie. While searching outside stackoverflow.com, I came across a blog post from...Jeff Atwood.</p> <p>I have included a third answer (sorry to answer my own question but I think that it is relevant supplemental info) that refers to a blog post from Jeff and includes a quotation.</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USjd.
    1. USjd.
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    3. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POdjango: csrftoken COOKIE vs. csrfmiddlewaretoken HTML Form value
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POdjango: csrftoken COOKIE vs. csrfmiddlewaretoken HTML Form value
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. POdjango: csrftoken COOKIE vs. csrfmiddlewaretoken HTML Form value
      1. USbdno86
      1. VTFavorite
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload