Why CSRF protect session-less users?

Question

Some frameworks (e.g. Django) support CSRF protection for users without any kind of session. What is the benefit of that?

What is the exploit that a CSRF attack could take advantage of when there is no existing session for the user?

Answer 1

Off the top of my head:

1. Having CSRF protection on day 1 means you don't need to worry about adding it after the fact if on day 17 you add user sessions
2. Even if there's no explicit sessions, there still could be some other authentication or mechanism that is protecting the site (example would be if you were running a django site on your private network; if you were browsing from inside your network that site AND evil.com, evil.com could trick your browser into sending requests to your private site. Rather unlikely but at least makes the point I hope.)

You might also want to raise this on the security stack overflow.

(Updated based on comment below) Even if there was no authentication or other reason to trust the browser, there are two other weak benefits for using CSRF protection: As Bobince points out, it does prevent simpler spamming attacks (since they now need to connect to the first page to get the CSRF token), and it also means that if someone does do something malicious, the IP in the server logs is going to be linked to them and not the client's IP. (Of course, that's spoofable etc. but it's still slightly better than making it trivial to make it look like the attack is coming from someone else)

Answer 2

1. If you were using some form of persistent authentication that wasn't based around session association (eg: HTTP Basic Auth), that would still need CSRF protection.

2. For entirely anonymous connections, it can still act as an obfuscation measure to block automated form submissions from the stupider kind of bots.