Being a beginner at cookies, CSRF and Django (using 1.4), from what I can make out this is how it works, please correct me where I go wrong...
作为cookie的初学者,CSRF和Django(使用1.4),从我可以看出它是如何工作的,请纠正我出错的地方......
The following applies where django.middleware.csrf.CsrfViewMiddleware is included in the MIDDLEWARE_CLASSES tuple.
以下适用于MIDDLEWARE_CLASSES元组中包含django.middleware.csrf.CsrfViewMiddleware的情况。
Where a POST form includes the csrf_token
tag, and the view concerned passes RequestContext
to the template, requesting the page means Django includes a hidden form field which contains an alphanumeric string. Django also returns to the browser a cookie with the name set to csrftoken
and value set to the same alphanumeric string.
如果POST表单包含csrf_token标记,并且相关视图将RequestContext传递给模板,则请求页面意味着Django包含一个包含字母数字字符串的隐藏表单字段。 Django还向浏览器返回一个cookie,其名称设置为csrftoken,值设置为相同的字母数字字符串。
When receiving the form submission, Django checks that the alphanumeric string value from the hidden form field matches and the csrftoken cookie received from the browser. If they don't match a 403 response is issued.
收到表单提交时,Django会检查隐藏表单字段中的字母数字字符串值是否匹配以及从浏览器收到的csrftoken cookie。如果它们不匹配则发出403响应。
A CSRF attack might come in the form of a malicious web site that includes an iframe. The iframe includes a POST form and some JavaScript. The form's action
attribute points to my Django site. The form is designed to do something nasty at my site, and the JS submits the form when the iframe is loaded.
CSRF攻击可能以包含iframe的恶意网站的形式出现。 iframe包含POST表单和一些JavaScript。表单的action属性指向我的Django站点。该表单旨在在我的站点上做一些讨厌的事情,并且在加载iframe时JS提交表单。
The browser would include the csrftoken
cookie in the header of the form submission. However, the form would not include the hidden field with the matching alphanumeric string, so a 403 is returned and the attack fails. If the iframe JS tried to access the cookie, so as to create the correct hiddden form field, the browser would prevent it from doing so.
浏览器将在表单提交的标题中包含csrftoken cookie。但是,表单不会包含带有匹配的字母数字字符串的隐藏字段,因此返回403并且攻击失败。如果iframe JS试图访问cookie,以便创建正确的hiddden表单字段,浏览器将阻止它这样做。
Is this correct?
它是否正确?
2 个解决方案
#1
0
I would say that you are right. You will find here my own formulation of it.
我会说你是对的。你会在这里找到我自己的配方。
To summarize:
总结一下:
- The CSRF token is sent from the code, which means that the malicious code must know it.
- CSRF令牌是从代码发送的,这意味着恶意代码必须知道它。
- The CSRF token is stored in a cookie and sent by the browser.
- CSRF令牌存储在cookie中并由浏览器发送。
- The attacker cannot access the cookie because of the same-origin policy.
- 由于同源策略,攻击者无法访问cookie。
- The server can simply verify that the "safe" value coming from the cookie is the same as the one coming from the code.
- 服务器可以简单地验证来自cookie的“安全”值是否与来自代码的值相同。
#2
1
I think what you want is described here in the official Django Documentation. https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-it-works
我认为你想要的是在Django官方文档中描述的。 https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-it-works
Above link was broken when I tried, but for version 1.7 this works: https://docs.djangoproject.com/en/1.7/ref/contrib/csrf/
当我尝试时,上面的链接被打破了,但是对于1.7版本,它可以工作:https://docs.djangoproject.com/en/1.7/ref/contrib/csrf/
#1
0
I would say that you are right. You will find here my own formulation of it.
我会说你是对的。你会在这里找到我自己的配方。
To summarize:
总结一下:
- The CSRF token is sent from the code, which means that the malicious code must know it.
- CSRF令牌是从代码发送的,这意味着恶意代码必须知道它。
- The CSRF token is stored in a cookie and sent by the browser.
- CSRF令牌存储在cookie中并由浏览器发送。
- The attacker cannot access the cookie because of the same-origin policy.
- 由于同源策略,攻击者无法访问cookie。
- The server can simply verify that the "safe" value coming from the cookie is the same as the one coming from the code.
- 服务器可以简单地验证来自cookie的“安全”值是否与来自代码的值相同。
#2
1
I think what you want is described here in the official Django Documentation. https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-it-works
我认为你想要的是在Django官方文档中描述的。 https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-it-works
Above link was broken when I tried, but for version 1.7 this works: https://docs.djangoproject.com/en/1.7/ref/contrib/csrf/
当我尝试时,上面的链接被打破了,但是对于1.7版本,它可以工作:https://docs.djangoproject.com/en/1.7/ref/contrib/csrf/