[1.11.x] Refs #16859 -- Updated CSRF FAQ to mention CSRF_USE_SESSIONS setting.
Backport of 503e944ac7
from master
This commit is contained in:
parent
c96d1c7476
commit
6bb01b0b3c
|
@ -532,13 +532,16 @@ Some security audit tools flag this as a problem but as mentioned before, an
|
||||||
attacker cannot steal a user's browser's CSRF cookie. "Stealing" or modifying
|
attacker cannot steal a user's browser's CSRF cookie. "Stealing" or modifying
|
||||||
*your own* token using Firebug, Chrome dev tools, etc. isn't a vulnerability.
|
*your own* token using Firebug, Chrome dev tools, etc. isn't a vulnerability.
|
||||||
|
|
||||||
Is the fact that Django's CSRF protection isn't linked to a session a problem?
|
Is it a problem that Django's CSRF protection isn't linked to a session by default?
|
||||||
------------------------------------------------------------------------------
|
-----------------------------------------------------------------------------------
|
||||||
|
|
||||||
No, this is by design. Not linking CSRF protection to a session allows using
|
No, this is by design. Not linking CSRF protection to a session allows using
|
||||||
the protection on sites such as a `pastebin` that allow submissions from
|
the protection on sites such as a `pastebin` that allow submissions from
|
||||||
anonymous users which don't have a session.
|
anonymous users which don't have a session.
|
||||||
|
|
||||||
|
If you wish to store the CSRF token in the user's session, use the
|
||||||
|
:setting:`CSRF_USE_SESSIONS` setting.
|
||||||
|
|
||||||
Why might a user encounter a CSRF validation failure after logging in?
|
Why might a user encounter a CSRF validation failure after logging in?
|
||||||
----------------------------------------------------------------------
|
----------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue