django: csrftoken COOKIE vs. csrfmiddlewaretoken HTML Form value

Question

Trying to learn about security. Curious about why in django when submitting a form (a POST), there are 2 separate \"elements\" that contain the same csrf token value:

Answer 1

They spot two different problems.

Cookie is to authenticate the client machine making the connection.

The hidden form field is to authenticate the source of the form.

Example Scenario: User A, on the client machine could bookmark the form. User B logs on, gets a valid cookie from today. User A could submit the invalid form field from yesterday when the browser has a left-over cookie from user B's session.

---

what client/browser resources are typically compromised,

None.

and how is it that these csrf fields help protect us from the forgery requests?

The CSRF tokens establish identity.

One (and only one) browser has a CSRF cookie token. But that browser could have multiple copies of a site open or bookmarked forms.

One (and only one) page form on that browser has a CSRF form token.

The browser and form cookies must match to assure one browser/one form.