django 1.7 csrf_token无法正常工作:应该如何运作?
[英]django 1.7 csrf_token not working: how is it supposed to work?
问题描述
Page 1: Form with {% csrf_token %} in my template. 
第1页:在模板中包含{%csrf_token%}的表单。
Page 2: Thanks page. 第2页:谢谢页面。
When I submit my form on Page 1 it uses HttpResponseRedirect to redirect to Page 2... so if the user refresh the page it will no be able to resubmit... 当我在页面1上提交表单时,它使用HttpResponseRedirect重定向到页面2 ...因此,如果用户刷新页面,它将无法重新提交...
but I just noticed that if the user goes back in Page 2 to Page 1... He can press Submit button again an resubmit the same form... So... Is there a way to expire Page 1 when I show Page 2? 但是我只是注意到,如果用户从第2页返回到第1页...他可以再次按Submit按钮重新提交相同的表单...所以...当我显示第2页时,有没有一种方法可以使第1页过期?
Just in case, my Middleware Classes are: 以防万一,我的中间件类是:
MIDDLEWARE_CLASSES = (
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
)
2 个解决方案
解决方案1
1 2015-02-01 18:19:14
That's not what a CSRF token is meant to do, though technically you could regenerate the token and the user will see a 403 Forbidden response when he tries to resubmit. 尽管从技术上讲,您可以重新生成令牌,并且用户尝试重新提交时,用户将看到“ 403 Forbidden响应”,但这并不是CSRF令牌的本意。 A CSRF token should be just that, though - a token that prevents cross-site request forgery. 但是,CSRF令牌应该就是这样-可以防止跨站点请求伪造的令牌。
If a user should only be able to submit a form once, that should be handled in the form validation and checked against the database. 如果用户只能提交一次表单,则应在表单验证中进行处理,并对照数据库进行检查。 Otherwise, going back and resubmitting the form is often considered an explicit action by the user and is handled the same as submitting a new form. 否则,返回并重新提交表单通常被用户视为显式操作,并且与提交新表单的处理方式相同。
解决方案2
-1 2015-02-01 18:43:16
CSRF token is designed to prevent other sites from posting content to your pages, thus prevent the creation of junk/spam records. CSRF令牌旨在防止其他站点将内容发布到您的页面上,从而防止创建垃圾邮件/垃圾邮件记录。
It is only designed for POST requests. 它仅适用于POST请求。
In order to prevent someone from writing a script that simply submits junk data to your pages, a unique token is generated using a secret key (which will not be known to the attacker). 为了防止某人编写仅将垃圾数据提交到您的页面的脚本,使用密钥(攻击者不会知道)生成唯一令牌。
On a legitimate request that comes from your site - your code generates a token using this key and sends it as part of the request. 在来自您网站的合法请求上,您的代码会使用此密钥生成令牌,并将其作为请求的一部分发送。
The rogue request will not have this key, and your code will raise an appropriate error (thus preventing whatever action from taking place). 流氓请求将没有此密钥,并且您的代码将引发适当的错误(从而防止发生任何操作)。
It is not designed to prevent legitimate, duplicate requests. 它并非旨在防止合法的重复请求。 There are two main ways to prevent this: 有两种主要方法可以防止这种情况:
Make sure you always redirect after POST (this is to prevent someone hitting refresh and then sending the same request again; although almost all modern browsers will warn when doing so).
确保您始终在POST之后重定向(这是为了防止某人点击刷新,然后再次发送相同的请求;尽管这样做时几乎所有现代浏览器都会发出警告)。 Control on the server side to prevent suspect duplicate entries.
在服务器端进行控制以防止可疑的重复条目。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.