Issue with crsf in Django

0
votes

I m trying to learn django and I'm to implement csrf token for some senstive actions. But when I intercept the request/response I get csrf_token in every request in cookie field and the webpages where I have actually implemented the csrf_token, in those request I get another csrf token as csrfMiddleware parameter in data. So I want to know why do I get two csrf_tokens in my request and response.

POST /demo/login/ HTTP/1.1
Host: xx.xx.xx.xx:8000
User-Agent: xxxxxx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://xx.xx.xx.xx:8000/demo/login/
Content-Type: application/x-www-form-urlencoded
Content-Length: 125
Connection: close
Cookie: csrftoken=n4bSbWP8p9Uce3b5iAxI0UvDG0qQq7B3OwBXisww754LYztEm0wFf9ARLpVM2v7W
Upgrade-Insecure-Requests: 1

csrfmiddlewaretoken=VIqUszlij0OLyTgYEp7V2TRsNUtBqkISmaQZz52G1WYkipyxIP6Sh8WGSjYx2IeL&username=qwerty6&password=password%40123
1
pythondjangocsrf
add you form html portion - shafik
It look like you have invented a CSRF protection where there has been one already. Show us some details of what you did! - Klaus D.
I have only included csrf token on my loginpage (html) using {% csrf_token%} . - lunatic955

1 Answers

0
votes

According to the Django documentation:

For the value stored in the cookie:

In order to protect against BREACH attacks, the token is not simply the secret; a random salt is prepended to the secret and used to scramble it.

For the csrfmiddlewaretoken:

A hidden form field with the name csrfmiddlewaretoken present in all outgoing POST forms. The value of this field is, again, the value of the secret, with a salt which is both added to it and used to scramble it. The salt is regenerated on every call to get_token() so that the form field value is changed in every such response.

Therefore the values differ due to being scrambled in a different way.