开发者

Django with custom authentication backends, is Csrf middleware really required?

Under Django 1.1.1, I am using several authentication backends such as social-registration for facebook connect and django-emailauth for email based authentication instead of user names.

I am curious if the Csrf middleware is an essential security measure as it seems like 开发者_开发百科it sometimes generates problems, especially with facebook connect.

My project is rather simple. Each user have a profile which they can fill and a purchase page where they fill the payment for to do purchases. Either of these pages are protected via @login_required.


Well, it protects your site from already logged-in-but-fooled (in their browser) users. It would be better to rather have it turned on. login_required is irrelevant here.

As for the problems, yes, it can cause some. There are two ways to fix:

  1. If you do ajax requests, django is smart enough to turn off protection based on HTTP headers, basically any request from any ajax library should go throught.

  2. In cases where headers can't help you, put csrf_exempt decorator on your view.

Bottom line: use csrf on your money-views and disable it either way for facebook etc.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜