0

Right now my CSRF token is getting set as a cookie. I set my nginx caching settings to a one year expiration, which I believe may be lengthening the life of my CSRF token.

This discussion around this question: How long should the lifetime of a CSRF token be? states that a token shouldn't be a cookie in the first place, but this is default Django behavior. It also says that the token should only last the length of a session.

How long should a Django CSRF token persist?

Community
  • 1
  • 1
YPCrumble
  • 26,610
  • 23
  • 107
  • 172
  • The question does not state this, the question is exactly the same as yours and the answer states that csrf is not an access token. – Wtower Jun 27 '15 at 13:26
  • @Wtower the second comment states: "What makes a CSRF token special is that it's not a cookie and so not sent automatically on every request." I'm taking that into context when I look at the answer...my Django CSRF token is definitely a cookie which is part of why I am confused. – YPCrumble Jun 27 '15 at 13:30
  • That comment is both spot-on and completely wrong, which is a feat in itself. You have to understand that CSRF protection works by comparing two values that have to be the same. What makes it "special" is that one source of this token is not a cookie and is not sent automatically (by your browser) on every request. Yet, in Django's case and many other cases, the _other_ source of the token, the one to which the first is compared, _is_ a cookie that is send on every request. As for the lifetime - it doesn't matter that much, as the cookie is frequently rotated. – knbk Jun 27 '15 at 14:38

0 Answers0