> How does server know the cookie is valid if it doesn't store it depending on w... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

smagin 69 days ago | parent | context | favorite | on: Why do we have both CSRF protection and CORS?

> How does server know the cookie is valid if it doesn't store it

depending on why you'are asking the question, * because it decrypts correctly * because it contains some user identifier

People don't usually store sessions in cookies because cookies can't be very big, and session do become big. So what people do instead they store cookies in databases, and put session identifiers into cookies.

hansonkd 69 days ago [–]

You don't need to store CSRF in sessions. Django doesn't by default.

CSRF token can be entirely separate from sessions.

smagin 69 days ago | [–]

not even you don't need to, you shouldn't. Sessions shouldn't be accessible to js at all

Consider applying for YC's Summer 2025 batch! Applications are open till May 13
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact