在Django 1.2中仍然需要{％csrf_token％} CSRF保护标记？ [英] Is the {% csrf_token %} CSRF protection tag still necessary in Django 1.2?

问题描述

我删除了 {％csrf_token％} 从我的表单，提交仍然有效。我不明白为什么然后我查看了源代码，并意识到令牌仍然位于< form> 元素旁边。我更改了表单的ID，以确保它更新源代码，但是隐藏的输入仍然存在。

我正在使用Django 1.2。 {％csrf_token％} 仍然有必要吗？

干杯

Rich

解决方案

经过更多调查，出现 {％csrf_token％} post ，则$ c>始终插入，否则不会。非常聪明的Django自动保护。

I am testing the CSRF protection on my site and I have noticed something unexpected.

I removed {% csrf_token %} from my form and the submission still works. I couldn't work out why. I then looked at the source and realised the token was still there right next to the <form> element. I changed the ID of the form to make sure it was definitely updating the source and it was but the hidden input is still there.

I am using Django 1.2. Is {% csrf_token %} still necessary?

Cheers

Rich

解决方案

After more investigation it appears the {% csrf_token %} is always inserted if the form has method post and not if it doesn't. Very clever auto protection from Django.

这篇关于在Django 1.2中仍然需要{％csrf_token％} CSRF保护标记？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！