Tons of false positives from Django's CSRF middleware?

烈酒焚心 提交于 2019-12-06 06:26:20

问题


I'm getting tons of false positives from Django's contrib CSRF middleware. Just from normal use of the site there will be a lot of cases where the CSRF just starts blocking requests as suspected forgery attacks.

Does anyone else have issues like this? I'm using the SVN branch of Django so have the latest version of the CSRF middleware. How could I diagnose these issues?

Update: I see these false positives on my production and dev sites. They happen sporadically. My site uses sub-domains and there is a different dev/production version of the site that runs on different servers but is seperated by a sub-domain. What triggers CSRF attack warnings? Is it when a dev cookie gets sent to the production site? Would moving between sub-domains for the same logged in user cause problems?


回答1:


CSRF protection in Django is based on hidden field plus properly working session. If you use subdomains to differentiate these two sites, check if your settings.SESSION_COOKIE_DOMAIN is set properly to handle your case.



来源:https://stackoverflow.com/questions/1467425/tons-of-false-positives-from-djangos-csrf-middleware

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!