如何在不注销django的情况下突破框架?
[英]How to break out of a frame without being logged out in django?
问题描述
_________
|A |
| _____ |
| |B | |
| |____| |
|________|
The user is authenticated on django-based site B. 
在基于Django的站点B上对用户进行身份验证。
Site A attempts to display site B in an iframe. 网站A尝试在iframe中显示网站B。
Currently, site B will always log the user out when displayed in this manner. 当前,以这种方式显示时,站点B将始终注销用户。 I assume this is some security feature of django. 我认为这是django的某些安全功能。 How can I simply make my site break out of the frame without the user being logged out? 如何仅使我的网站脱离框架而无需注销用户?
edit: after testing this some more, it seems it only happens when Site A is also a django site. 编辑:经过更多测试后,似乎只有在站点A也是Django站点时才会发生。
2 个解决方案
解决方案1
2 2012-01-05 22:44:22
I don't think this is a security feature of Django. 我认为这不是Django的安全性功能。 The only thing like it in Django is clickjack protection, but that's still in the dev version only and doesn't work anything like this. 在Django中,唯一与此类似的是clickjack保护,但这仍然仅在开发版本中,并且无法正常工作。 It actually makes the site not load at all in the frame in modern browsers. 实际上,它使网站根本无法在现代浏览器的框架中加载。 See: 看到:
https://docs.djangoproject.com/en/dev/ref/clickjacking/ https://docs.djangoproject.com/en/dev/ref/clickjacking/
Are you sure there's nothing in your project that is implementing this behavior? 您确定项目中没有任何东西可以实现这种行为吗?
UPDATE BASED ON EDIT 基于编辑的更新
That makes much more sense. 这更有意义。 It's because the cookies and sessions are overwriting each other. 这是因为Cookie和会话相互覆盖。 It's not so much "logging the user out" as simply inheriting the non-logged-in state of the parent frame. 与其说“注销用户”,还不如说是继承父框架的未登录状态。
解决方案2
2 已采纳 2012-01-06 06:28:34
使用settings.py的SESSION_COOKIE_NAME属性针对站点A或站点B更改用于身份验证的cookie。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.