1) I know the difference between sessions and logging in. I didn't say anything about logging in; I said that our CSRF protection protects users without sessions. Not all sites use sessions (some for performance reasons, others for privacy reasons); must those sites be vulnerable to CSRF?

2) First, you should report this to Bitbucket: https://www.atlassian.com/security. And c'mon, disclosing a possible CSRF vulnerability on a public board is kinda irresponsible. Is responsible disclosure not something you practice?

SecondI don't know what Bitbucket is running, exactly, and exrapolating from Bitbucket to Django is pretty lazy. Frameworks != sites. Once again, we've spent quite of bit of time validating the design and implementation of Django's CSRF protection, and we believe it works. If you find proof otherwise, can you please send it to security@djangoproject.com, and not post it to Hacker News?

1) only to make sure we are on the same page. Now I see - we have different understanding of "session".

>Not all sites use sessions (some for performance reasons, others for privacy reasons);

what kind of site doesn't use sessions? To track a user you need a cookie right?

2) Frameworks != sites. As I used to think, only framework is responsible for CSRF protection, hence I extrapolated. I sent it to security@ as soon as I found this email. I am trying to not proclaim anything but some websites from http://www.djangosites.org/ are vulnerable.

Could you clarify what actually can be done by this? From what I can see, you can't do XSS because it's escaped.

I guess there's the chance that you could do CSRF because you've essentially "set" their CSRF token?

XSS? unrelated here I think.

Exactly, cookie forcing/tossing = "set" their CSRF token