I have recently updated a website from Django 1.0 to 1.3. One of the changes introduced wasautomatic protection against CSRF attacks. For the most part, this works great, but I have a problem with clients that for some reason do not accept cookies at all. While it is OK to refuse such clients to register or log in, they still should be able to use e.g. a contact form. Django refuses all POST requests that do not have a CSRF cookie, so I have dozens of CSRF failures every day that are not an attack, but legitimate clients that do not accept cookies.
As this is not acceptable, my plan is to modify Django's behavior (through extension of the CSRF middleware) in such a way, that it lets through POST requests that do not have any cookies at all. My reasoning behind this is that CSRF attacks makes use of the session cookie to forge a request. But there is no session cookie attached to the request anyway, so no protection against CSRF is needed in this case.
So, is my reasoning sound or am I about to tear a huge security hole into my website?
http://security.stackexchange.com/questions/8711/csrf-protection-needed-for-clients-that-dont-accept-cookies
2063
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
