Changes between Version 9 and Version 10 of CsrfProtection
- Timestamp:
- Aug 3, 2009, 8:45:54 AM (15 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
CsrfProtection
v9 v10 49 49 The main contenders are: 50 50 51 * 'HMAC of session identifier'. This was provided by Django 1.0 in !Csrf ViewMiddleware, and is referred to as the 'CSRF token'. All incoming POST requests that have an active session are required to have a CSRF token that is a hash of the session identifier and the site's SECRET_KEY.51 * 'HMAC of session identifier'. This was provided by Django 1.0 in !CsrfMiddleware and in 1.1 in !CsrfViewMiddleware, and is referred to as the 'CSRF token'. All incoming POST requests that have an active session are required to have a CSRF token that is a hash of the session identifier and the site's SECRET_KEY. 52 52 53 53 * 'session independent nonce'. A random value is stored in a cookie, unique to every user, and POST forms must contain the same value as a token. … … 57 57 == Methods of token insertion == 58 58 59 * Django 1.0 and 1.1 provided !CsrfResponseMiddleware which did automatic insertion of the token in outgoing pages, to all POST forms. This has several problems:59 * Django 1.0 provided !CsrfMiddleware and 1.1 provided !CsrfResponseMiddleware which did automatic insertion of the token in outgoing pages, to all POST forms. This has several problems: 60 60 * The performance hit from doing the post processing. 61 61 * It removes the ability to do streaming of responses (should that become a possibility in future Django versions)