Questions on Django's CSRF protection
The documentation has an explanation here, but I had some additional questions..
Why is a dedicated CSRF cookie necessary?
If Django does not use transaction specific nonces, why not just require to embed the session ID inside the POST request body?
Why should CSRF nonces be bind to session ID? Does Django do this?
This webpage seem to imply that CSRF nonce needs to be bound to the session ID (e.g. CSRF nonce = keyed hash of session ID). Why is that? Does Django bind its CSRF nonce to session ID?
Why does Django use session independent nonce and not transaction specific nonces?
Is it because of performance concern? Intuitively transaction specific nonces seem to be more secure by nature.
CSRF protection and session have different nature, so putting those in single cookie would make it harder to maintain.
Here are some differences:
- You can use CSRF protection without using sessions.
- You may want to use CSRF before session started (ie. you don't want to start session before user logged in, because of performance, but you want to protect your contact form with CSRF).
- Sometimes you want to delete session cookie, but probably never CSRF.
- CSRF protection is needed for single browser session (until you close browser), but sessions may continue for even weeks.
- You may want to have cross-domain session, but probably never need cross-domain CSRF.