django注销使用链接或表单来防止csrf利用 [英] django logout using a link or form to prevent csrf exploit
问题描述
在阅读 djangobook第一章时,我遇到了提及csrf的部分利用其中一个注销链接被隐藏的恶意网站。
while reading up djangobook chapter ,I came across the section which mentions a csrf exploit where a logout link was put in a hidden of malicious site.
在我使用django创建的Web应用程序中,我使用了类似的注销链接
In a web app I created using django,I had used a similar logout link
base.html:
base.html:
<a href="{% url my_logout %}" > Logout </a>
my_logout url指向 django.contrib.auth.views.logout_then_login
where the my_logout url points to django.contrib.auth.views.logout_then_login
urlpatterns=patterns('django.contrib.auth.views',
url(r'^logout/$', 'logout_then_login', {}, name = 'my_logout'),
)
现在,在阅读了关于csrf攻击之后,我担心恶意网站会给我带来麻烦,所以我想使用一个表单来进行注销。
Now,after reading about csrf attack,I fear that a malicious site can cause trouble for me too.So,I would like to use a form to do the logging out.
我以为我可以这样做
base.html:
base.html:
...
<form method="post" action=".">{% csrf_token %}
<input type="hidden" name="next" value="{{next}}" />
<input type="hidden" name="confirm" value="true" />
<input type="submit" value="Logout" />
</form>
...
现在,我应该如何编写视图来处理这个表单?我要处理隐藏的变量(确认
来检查是否注销应该完成,然后 next
转到上一个视图),我仍然可以使用 django.contrib.auth.views.logout_then_login
方法?
Now,how should I write the view for processing this form?If I am to process the hidden variables(confirm
to check whether logout should be done and next
to go to the previous view) ,will I still be able to use the django.contrib.auth.views.logout_then_login
method?
可以有人请告诉我,如果我这样做是正确的方式?
can someone please tell me if I am doing this the right way?
提前感谢
推荐答案
您可以将其包装起来像
from django.views.decorators.cache import never_cache
from django.views.decorators.csrf import csrf_protect
from django.views.decorators.http import require_POST
@csrf_protect
@require_POST
@never_cache
def safer_logout(request):
# 'confirm' is useless here, POST implies 'do it'
return logout_then_login(request, request.POST.get('next'))
此外,请考虑使用 SESSION_COOKIE_HTTPONLY
这篇关于django注销使用链接或表单来防止csrf利用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!