Changes between Version 9 and Version 10 of CsrfProtection


Ignore:
Timestamp:
08/03/2009 08:45:54 AM (6 years ago)
Author:
lukeplant
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • CsrfProtection

    v9 v10  
    4949The main contenders are:
    5050
    51  * 'HMAC of session identifier'.  This was provided by Django 1.0 in !CsrfViewMiddleware, and is referred to as the 'CSRF token'.  All incoming POST requests that have an active session are required to have a CSRF token that is a hash of the session identifier and the site's SECRET_KEY.
     51 * 'HMAC of session identifier'.  This was provided by Django 1.0 in !CsrfMiddleware and in 1.1 in !CsrfViewMiddleware, and is referred to as the 'CSRF token'.  All incoming POST requests that have an active session are required to have a CSRF token that is a hash of the session identifier and the site's SECRET_KEY.
    5252 
    5353 * 'session independent nonce'.  A random value is stored in a cookie, unique to every user, and POST forms must contain the same value as a token.
     
    5757== Methods of token insertion ==
    5858
    59  * Django 1.0 and 1.1 provided !CsrfResponseMiddleware which did automatic insertion of the token in outgoing pages, to all POST forms.  This has several problems:
     59 * Django 1.0 provided !CsrfMiddleware and 1.1 provided !CsrfResponseMiddleware which did automatic insertion of the token in outgoing pages, to all POST forms.  This has several problems:
    6060   * The performance hit from doing the post processing.
    6161   * It removes the ability to do streaming of responses (should that become a possibility in future Django versions)
Back to Top