Databases
StackOverflow2013
Postsdbo
POIs this how Django's CSRF protection works?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POIs this how Django's CSRF protection works?
    text
    copied!<p>Being a beginner at cookies, CSRF and Django (using 1.4), from what I can make out this is how it works, please correct me where I go wrong...</p> <p>The following applies where django.middleware.csrf.CsrfViewMiddleware is included in the MIDDLEWARE_CLASSES tuple.</p> <p>Where a POST form includes the <code>csrf_token</code> tag, and the view concerned passes <code>RequestContext</code> to the template, requesting the page means Django includes a hidden form field which contains an alphanumeric string. Django also returns to the browser a cookie with the name set to <code>csrftoken</code> and value set to the same alphanumeric string.</p> <p>When receiving the form submission, Django checks that the alphanumeric string value from the hidden form field matches and the csrftoken cookie received from the browser. If they don't match a 403 response is issued.</p> <p>A CSRF attack might come in the form of a malicious web site that includes an iframe. The iframe includes a POST form and some JavaScript. The form's <code>action</code> attribute points to my Django site. The form is designed to do something nasty at my site, and the JS submits the form when the iframe is loaded. </p> <p>The browser would include the <code>csrftoken</code> cookie in the header of the form submission. However, the form would not include the hidden field with the matching alphanumeric string, so a 403 is returned and the attack fails. If the iframe JS tried to access the cookie, so as to create the correct hiddden form field, the browser would prevent it from doing so. </p> <p>Is this correct?</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload