Django缓存导致CSRF违规 [英] Django caching causes CSRF violations

问题描述

我的网站使用django注册进行登录/注册。最近我介绍了一些缓存中间件，并且在尝试进行背对背新用户注册时导致了CSRF违规。

My website uses django-registration for login/signup. Recently I introduced some cache middleware and it resulted in CSRF violations when attempting to do back-to-back new users sign-ups.

以下是我的settings.py中的中间件声明：

Here is the middleware statement from my settings.py:

MIDDLEWARE_CLASSES = (
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django.middleware.cache.UpdateCacheMiddleware',          <------
'django.middleware.locale.LocaleMiddleware',
'linaro_django_pagination.middleware.PaginationMiddleware',
'django.middleware.cache.FetchFromCacheMiddleware',       <------
'djangobb_forum.middleware.LastLoginMiddleware',
'djangobb_forum.middleware.UsersOnline',
'djangobb_forum.middleware.TimezoneMiddleware',

）

如果这是一个真正的问题，不要。中间件陈述的顺序是否重要？

Not sure if this is a real problem or not. Does the order of the middleware statements matter?

似乎必须有一种CSRF和Cache中间件共存的方法。目前我删除了缓存中间件。

It seems there must be a way for CSRF and Cache middleware to co-exist. Currently I removed the cache middleware.

推荐答案

根据 https://docs.djangoproject.com/en/1.8/topics/cache/#the-per-site-cache ：

缓存设置完成后，使用缓存的最简单方法是缓存整个站点。您将需要将django.middleware.cache.UpdateCacheMiddleware和django.middleware.cache.FetchFromCacheMiddleware添加到您的MIDDLEWARE_CLASSES设置中，如下例所示：

Once the cache is set up, the simplest way to use caching is to cache your entire site. You’ll need to add 'django.middleware.cache.UpdateCacheMiddleware' and 'django.middleware.cache.FetchFromCacheMiddleware' to your MIDDLEWARE_CLASSES setting, as in this example:

MIDDLEWARE_CLASSES = (
    'django.middleware.cache.UpdateCacheMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.cache.FetchFromCacheMiddleware',
)

注意

不，这不是打字错误：更新中间件必须是列表中的第一个，抓取中间件必须是最后一个。详细信息有点不明确，但请看订单下面的MIDDLEWARE_CLASSES如果你想要完整的故事。

No, that’s not a typo: the "update" middleware must be first in the list, and the "fetch" middleware must be last. The details are a bit obscure, but see Order of MIDDLEWARE_CLASSES below if you’d like the full story.

不知道这是否有帮助。

这篇关于Django缓存导致CSRF违规的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！