简体繁体 English

安全扫描期间的CSRF令牌cookie漏洞

[英]CSRF token cookie vulnerabilities during security scan

原文 2016-08-03 19:57:16 6 1 python/ django/ security/ cookies

I am making a simple website for my employer using Django, and I had to run the code through a security scan to test for vulnerabilities. 我正在使用Django为我的雇主创建一个简单的网站，并且我不得不通过安全扫描来运行代码以测试漏洞。 One of the issues is cookie vulnerabilities that I can find documentation to find for. 问题之一是cookie漏洞，我可以找到要查找的文档。

The cookie vulnerabilities are raised when logging in to my website. 登录我的网站时会引发Cookie漏洞。

Here is the error - the scan is run by OCIO-Internet-Scan 这是错误-扫描由OCIO-Internet-Scan运行

CVSS: 5.0 Message: csrftoken Cookie has problem(s) csrftoken = J4S6ZO7ssz4TUIlRNv9d95mCFomAbXO1; Host = [removed] Path = / CVSS：5.0消息：csrftoken Cookie有问题csrftoken = J4S6ZO7ssz4TUIlRNv9d95mCFomAbXO1; Host = [removed] Path = / J4S6ZO7ssz4TUIlRNv9d95mCFomAbXO1; Host = [removed] Path = /

Cookie can be cached. 可以缓存Cookie。

Cookie is persistent. Cookie是持久性的。 Cookie expires at : Wed, 07 Jun 2017 Cookie过期时间：2017年6月7日，星期三

Persistent session-handling cookies: When a session-handling cookie is set persistently, it allows the cookie to be valid even after a user terminates a session. 持久会话处理cookie：持久设置会话处理cookie时，即使用户终止了会话，它也允许cookie有效。 Therefore an attacker can use a session cookie stored as a text file by the browser to access restricted information. 因此，攻击者可以使用浏览器存储为文本文件的会话cookie来访问受限制的信息。 Cacheable cookies: A cachable cookie could be cached at a proxy or a gateway. 可缓存的cookie：可缓存的cookie可以缓存在代理或网关处。 It can result in serving a cookie value that is out of date or stale. 可能会导致提供过时或过时的Cookie值。 An attacker may also steal such cookies if he has compromised that proxy or gateway. 如果攻击者破坏了该代理或网关，它也可能会窃取此类cookie。

My question is, where exactly can I make changes to the csrftoken behavior for this? 我的问题是，为此，我究竟可以在哪里更改csrftoken行为？ I can't find it using google, and I cannot bring the website up until this is fixed. 我无法使用google找到它，也无法修复该网站，因此无法启动该网站。 Am I even able to change how csrf acts to accommodate these errors? 我什至可以更改csrf的行为以适应这些错误吗？

1 个解决方案

It sounds like you want to change the CSRF_COOKIE_AGE setting to None : 听起来您想将CSRF_COOKIE_AGE设置更改为None ：

Default: 31449600 (approximately 1 year, in seconds) 默认值： 31449600 （大约1年，以秒为单位）

The age of CSRF cookies, in seconds. CSRF cookie的生存时间（以秒为单位）。

The reason for setting a long-lived expiration time is to avoid problems in the case of a user closing a browser or bookmarking a page and then loading that page from a browser cache. 设置有效期限长的原因是为了避免用户关闭浏览器或为页面添加书签，然后从浏览器缓存中加载该页面的问题。 Without persistent cookies, the form submission would fail in this case. 如果没有持久性cookie，则在这种情况下，表单提交将失败。

Some browsers (specifically Internet Explorer) can disallow the use of persistent cookies or can have the indexes to the cookie jar corrupted on disk, thereby causing CSRF protection checks to (sometimes intermittently) fail. 某些浏览器（特别是Internet Explorer）可能不允许使用永久性cookie，或者使cookie jar的索引在磁盘上损坏，从而导致CSRF保护检查（有时是间歇性地）失败。 Change this setting to None to use session-based CSRF cookies, which keep the cookies in-memory instead of on persistent storage. 将此设置更改为“ 无”以使用基于会话的CSRF cookie，该cookie将cookie保留在内存中，而不是持久存储中。

That will cause it to be a session cookie instead of a persistent cookie. 这将使其成为会话cookie，而不是持久性cookie。 Session cookies don't have an expiration date so the browser holds them in memory for the current browser session only and then deletes them when the session is over. 会话Cookie没有到期日期，因此浏览器仅将它们保存在当前浏览器会话的内存中，然后在会话结束时将其删除。

You can find info on how to change the Django setting here . 您可以在此处找到有关如何更改Django设置的信息。