来自Django的CSRF中间件的假阳性数量？ [英] Tons of false positives from Django's CSRF middleware?

问题描述

我从Django的contrib CSRF中间件中获得了大量的误报。只要正常使用网站，就会出现很多情况，其中CSRF刚刚开始阻止请求作为可疑的伪造攻击。

有没有人有这样的问题？我正在使用Django的SVN分支，所以有最新版本的CSRF中间件。我如何诊断这些问题？

更新：我在我的生产和开发网站上看到这些误报。他们偶尔发生。我的网站使用子域，并且有不同的开发/生产版本的站点在不同的服务器上运行，但由子域分隔。什么触发CSRF攻击警告？是否将dev cookie发送到生产站点？在同一个登录用户的子域之间移动会导致问题吗？

解决方案

Django中的CSRF保护是基于隐藏字段加上正常工作会话。如果您使用子域来区分这两个站点，请检查您的 settings.SESSION_COOKIE_DOMAIN 是否为正确设置以处理您的案例。

I'm getting tons of false positives from Django's contrib CSRF middleware. Just from normal use of the site there will be a lot of cases where the CSRF just starts blocking requests as suspected forgery attacks.

Does anyone else have issues like this? I'm using the SVN branch of Django so have the latest version of the CSRF middleware. How could I diagnose these issues?

Update: I see these false positives on my production and dev sites. They happen sporadically. My site uses sub-domains and there is a different dev/production version of the site that runs on different servers but is seperated by a sub-domain. What triggers CSRF attack warnings? Is it when a dev cookie gets sent to the production site? Would moving between sub-domains for the same logged in user cause problems?

解决方案

CSRF protection in Django is based on hidden field plus properly working session. If you use subdomains to differentiate these two sites, check if your settings.SESSION_COOKIE_DOMAIN is set properly to handle your case.

这篇关于来自Django的CSRF中间件的假阳性数量？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！