开发者

Is the {% csrf_token %} CSRF protection tag still necessary in Django 1.2?

I am testing the CSRF protection on my site and I have noticed something unexpected.

I removed {% csrf_token %} from my form and the submission still works. I couldn't work out why. I then looked at the source and realised the token was still there right next to the <form> element. I changed the ID of the fo开发者_如何学Gorm to make sure it was definitely updating the source and it was but the hidden input is still there.

I am using Django 1.2. Is {% csrf_token %} still necessary?

Cheers

Rich


After more investigation it appears the {% csrf_token %} is always inserted if the form has method post and not if it doesn't. Very clever auto protection from Django.


From the documentation:

In Django 1.1, the template tag did not exist. Instead, a post-processing middleware that re-wrote POST forms to include the CSRF token was used. If you are upgrading a site from version 1.1 or earlier, please read this section and the Upgrading notes below.

http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#legacy-method

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜