> stores it on the server somewhere you don't need to store anything on the serv...

smagin · 2025-03-03T15:37:34 1741016254

> How does server know the cookie is valid if it doesn't store it

depending on why you'are asking the question, * because it decrypts correctly * because it contains some user identifier

People don't usually store sessions in cookies because cookies can't be very big, and session do become big. So what people do instead they store cookies in databases, and put session identifiers into cookies.

hansonkd · 2025-03-03T17:47:05 1741024025

You don't need to store CSRF in sessions. Django doesn't by default.

CSRF token can be entirely separate from sessions.

smagin · 2025-03-03T18:47:01 1741027621

not even you don't need to, you shouldn't. Sessions shouldn't be accessible to js at all

mewpmewp2 · 2025-03-03T15:27:29 1741015649

How does server know the cookie is valid if it doesn't store it and how does it know csrf token is valid if it doesn't store it and finally how does it know that this csrf token relates to this cookie session token if it doesn't store it?

hansonkd · 2025-03-03T17:48:51 1741024131

The CSRF token can have nothing to do with the cookie session information. you can store CSRF as a separate cookie.

You can validate the CSRF is valid by keeping a key on your server and matching that the token you get can be derived from that key.

See Django's implementation of CSRF for more details. CSRF tokens are separate from session and no CSRF information needs to be stored in database to validate CSRF.