Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I use Flask WTForms and CSRF without session cookie?

Tags:

python

cookies

flask

session-cookies

flask-wtforms

I have a very simple app that has no user management or any Flask-Login auth needs. It has forms, WTForms. All I want to do is collect some data submitted by the form. I could technically disable CSRF validation but Flask WTForms really urges me not to.

I'd like to disable flask session cookie in the browser because it seems unnecessary and I would need to put a cookie banner for GDPR compliance. So to avoid all that, I thought of disabling flask session cookie as follows:

class CustomSessionInterface(SecureCookieSessionInterface):
    """ Disable session cookies """
    def should_set_cookie(self, app: "Flask", session: SessionMixin) -> bool:
        return False

# App initialization
app = Flask(__name__)
app.session_interface = CustomSessionInterface()

But doing so leads to a 500 error: "The CSRF session token is missing". However, looking at the HTML that was rendered has the following csrf token rendered properly:

<input id="csrf_token" name="csrf_token" type="hidden" value="ImI2ZDIwMDUxMDNmOGM3ZDFlMTI4ZTIzODE4ODBmNDUwNWU3ZmMzM2Ui.YhA2kQ.UnIHwlR1qLL61N9_30lDKngxLlM">

Questions:

  1. What is the relationship between CSRF token validation and session cookie? Why is a cookie necessary to validated the CSRF token?
  2. I tried enabling session cookies again, deleting the cookie in Chrome developer tools leads to the same error. So, indeed, session cookie seems to be absolutely necessary to validate CSRF token.
  3. How can I use CSRF form validation without a session cookie?

Thank you so much.

like image 748
Neil Avatar asked Oct 23 '25 15:10

Neil

2 Answers

I found out from the code base of WTForms: https://github.com/wtforms/flask-wtf/blob/565a63d9b33bf6eb141839f03f0032c03894d866/src/flask_wtf/csrf.py#L56

Basically, session['csrf_token'] is stored in the session and compared against the form.hidden() tag (or form.csrf_token) in the HTML body.

This is not clearly explained in the docs. But the codebase makes it clear. I guess there is no way to do CSRF protection without secure cookies.

The downside of this is that you can't get rid of cookies. I suspect, one could build a server-side session database, but then there are issues with scaling your Flask app horizontally.

like image 61
Neil Avatar answered Oct 25 '25 05:10

Neil

You should check if it helps you:

https://wtforms.readthedocs.io/en/3.0.x/csrf/#creating-your-own-csrf-implementation

This allows you to create your own implementation of csrf token generation and validation in which you do not need to use cookies.

like image 31
krank Avatar answered Oct 25 '25 04:10

krank

Sign in to Comment

Related questions

Get user status (disabled or active) in Active Directory with ldap3 Python
python set of objects with custom hash behavior
the queryset attribute of django REST api generic views
Django - Multiple instances of same form class in one view
How do I use mysql-connector-python with MAMP?
Why is defaultdict creating an array for my values?
Pandas MemoryError on server with more Memory
Convert bytes to a file object in python
Unable to clone Python venv to another PC
How to min/max value in multiple columns of a pandas dataframe?
Creating objects during runtime in Python
Difference between numpy.zeros(n) and numpy.zeros(n,1) [duplicate]
Python: Generating a symmetric array with list comprehension
Define age in django template using actual datatime and birthday with datafield
python turtle canvas scrolling
Missing symbols in Pyautogui typewriter
Using apply_async with callback function for a pool of processes
Boost Python class export fails to compile with linking error in visual studio 2013
decoding \u200e to string
tf.data.Dataset.from_tensor_slices, tensors and eager mode

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!