Django CSRF Coo​​kie——为什么浏览器关闭时它不会过期？

Question

Django 允许您指定 session 在浏览器关闭时过期(对于 Chrome 有一些注意事项)。为什么它不对 CSRF cookie 执行此操作？

我问这个问题是因为在我看来，CSRF token 很容易被泄露(例如，错误地将其放在外部站点的帖子中)，而这将是一种缓解措施。我是不是误会了什么？

Answer 1

我将从 Carl 链接的开发人员列表中重新发布我的答案，以便 stackoverflow 也有它:

If the cookie were set to expire at browser close, it would cause CSRF errors for users who closed a browser (or bookmarked a page with a form on it) and then loaded that page from a browser cache and submitted the form. I'm ambivalent about whether this use case is worth supporting (it may be important on mobile devices, for example), but I don't believe that setting the cookie to expire on browser close provides much security benefit to an otherwise properly configured site (HTTPS, HSTS, etc.).

Django's CSRF implementation differs[1] from many others which store CSRF information alongside session information on the server. The CSRF mechanism functions by matching a token provided in a form with a token provided as a cookie in the browser. If you set the cookie to 'zzz', it will still function perfectly well. The security comes from the fact that an attacker cannot set the cookie, not that it happens to contain any specific cryptographic value.

If the concern is that an attacker could access a user's physical computer between sessions and steal a CSRF token, setting it to expire at browser close would not prevent an attacker from inserting a cookie of known value that would be used during the next session. I'm not convinced we can secure the tokens of a user whose computer has been physically accessed by an attacker.

Still, if it can be convincingly demonstrated that setting the cookie to expire at browser close would not break existing use cases (mobile browsers are my chief concern) I'd be open to changing the default behavior. We generally consider it a bug if any non-malicious user can, through innocent behavior, trigger the CSRF warning.

[1] Django's CSRF implementation usually sets off all kinds of false alarms in most pen-tester tools, since it doesn't work exactly the same way other implementations do, and isn't tied to the session cookie.