Django缓存导致CSRF违规 [英] Django caching causes CSRF violations
问题描述
我的网站使用django注册进行登录/注册。最近我介绍了一些缓存中间件,并且在尝试进行背对背新用户注册时导致了CSRF违规。
My website uses django-registration for login/signup. Recently I introduced some cache middleware and it resulted in CSRF violations when attempting to do back-to-back new users sign-ups.
以下是我的settings.py中的中间件声明:
Here is the middleware statement from my settings.py:
MIDDLEWARE_CLASSES = (
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django.middleware.cache.UpdateCacheMiddleware', <------
'django.middleware.locale.LocaleMiddleware',
'linaro_django_pagination.middleware.PaginationMiddleware',
'django.middleware.cache.FetchFromCacheMiddleware', <------
'djangobb_forum.middleware.LastLoginMiddleware',
'djangobb_forum.middleware.UsersOnline',
'djangobb_forum.middleware.TimezoneMiddleware',
)
如果这是一个真正的问题,不要。中间件陈述的顺序是否重要?
Not sure if this is a real problem or not. Does the order of the middleware statements matter?
似乎必须有一种CSRF和Cache中间件共存的方法。目前我删除了缓存中间件。
It seems there must be a way for CSRF and Cache middleware to co-exist. Currently I removed the cache middleware.
推荐答案
根据 https://docs.djangoproject.com/en/1.8/topics/cache/#the-per-site-cache :
缓存设置完成后,使用缓存的最简单方法是缓存整个站点。您将需要将django.middleware.cache.UpdateCacheMiddleware和django.middleware.cache.FetchFromCacheMiddleware添加到您的MIDDLEWARE_CLASSES设置中,如下例所示:
Once the cache is set up, the simplest way to use caching is to cache your entire site. You’ll need to add 'django.middleware.cache.UpdateCacheMiddleware' and 'django.middleware.cache.FetchFromCacheMiddleware' to your MIDDLEWARE_CLASSES setting, as in this example:
MIDDLEWARE_CLASSES = (
'django.middleware.cache.UpdateCacheMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.cache.FetchFromCacheMiddleware',
)
注意
不,这不是打字错误:更新中间件必须是列表中的第一个,抓取中间件必须是最后一个。详细信息有点不明确,但请看订单下面的MIDDLEWARE_CLASSES如果你想要完整的故事。
No, that’s not a typo: the "update" middleware must be first in the list, and the "fetch" middleware must be last. The details are a bit obscure, but see Order of MIDDLEWARE_CLASSES below if you’d like the full story.
不知道这是否有帮助。
这篇关于Django缓存导致CSRF违规的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!