Questions on Django's CSRF protection

The documentation has an explanation here, but I had some additional questions..

Why is a dedicated CSRF cookie necessary?

If Django does not use transaction specific nonces, why not just require to embed the session ID inside the POST request body?

Why should CSRF nonces be bind to session ID? Does Django do this?

This webpage seem to imply that CSRF nonce needs to be bound to the session ID (e.g. CSRF nonce = keyed hash of session ID). Why is that? Does Django bind its CSRF nonce to session ID?

Why does Django use session independent nonce and not transaction specific nonces?

Is it because of performance concern? Intuitively transaction specific nonces seem to be more secure by nature.

Answers


CSRF protection and session have different nature, so putting those in single cookie would make it harder to maintain.

Here are some differences:

  1. You can use CSRF protection without using sessions.
  2. You may want to use CSRF before session started (ie. you don't want to start session before user logged in, because of performance, but you want to protect your contact form with CSRF).
  3. Sometimes you want to delete session cookie, but probably never CSRF.
  4. CSRF protection is needed for single browser session (until you close browser), but sessions may continue for even weeks.
  5. You may want to have cross-domain session, but probably never need cross-domain CSRF.

Need Your Help

SQL Server 2005 to SQL Server CE Merge Replication

sql-server iis merge replication sql-server-ce

In my organization, we have a SQL Server 2005 database server (DBServer). Users of an application will normally be connected to DBServer, but, occasionally, would like to disconnect and continue t...

Reflection using QMetaType (Class instantiation by name)

c++ qt reflection qt5 instantiation

I want to instantiate a class regarding its name. I found that Qt allows it with QMetaType::create.

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.