Django, csrf
来源:互联网 发布:逆战挂机软件 编辑:程序博客网 时间:2024/05/14 23:01
I have recently updated a website from Django 1.0 to 1.3. One of the changes introduced wasautomatic protection against CSRF attacks. For the most part, this works great, but I have a problem with clients that for some reason do not accept cookies at all. While it is OK to refuse such clients to register or log in, they still should be able to use e.g. a contact form. Django refuses all POST requests that do not have a CSRF cookie, so I have dozens of CSRF failures every day that are not an attack, but legitimate clients that do not accept cookies.
As this is not acceptable, my plan is to modify Django's behavior (through extension of the CSRF middleware) in such a way, that it lets through POST requests that do not have any cookies at all. My reasoning behind this is that CSRF attacks makes use of the session cookie to forge a request. But there is no session cookie attached to the request anyway, so no protection against CSRF is needed in this case.
So, is my reasoning sound or am I about to tear a huge security hole into my website?
http://security.stackexchange.com/questions/8711/csrf-protection-needed-for-clients-that-dont-accept-cookies
- Django, csrf
- django CSRF
- Django Ajax with CSRF
- django中的csrf
- django csrf 403
- django 禁掉CSRF
- django 403 csrf
- Django:CSRF verification failed.
- Django CSRF设置方法
- django csrf 防跨站攻击
- django csrf解决办法
- Django CSRF 原理分析
- Django CSRF原理分析
- Django Ajax CSRF 认证
- Django遇到csrf问题
- Django-CSRF的理解
- Django进阶之CSRF
- Django进阶之CSRF
- 菜鸟学Android之TabHost(一)
- 面向 Java 开发人员的 Scala 指南: 构建计算器,第 1 部分
- IOS APP如何实现升级
- MYSQL中MY.CNF配置文件及参数介绍
- python_20131014
- Django, csrf
- 网页设计技巧内容分享:优化网页加载速度
- html上下框架(demo)
- 哥哥最近有项目没有做完,考试也没有过,吐槽一把
- Objective-C property和instance variable
- mysql使用rand随机查询记录的高效率方法
- VC 笔记补遗
- C++中给二维指针分配内存
- 在线程中弹出自定义对话框