Hi Luke. This is a really great idea. I've just got a small nit with it.
by doing this you would disable/stop post's coming from via javascript/ajax method. it wouldn't be able to access the tokens required, or at the very least it would require a form tag to be someone on the HTML page which is generating the post (which might not be the case) but it's a great idea.. and I'll be adding it to me public facing apps shortly. On 11/4/05, Luke Plant <[EMAIL PROTECTED]> wrote: > Hi, > > I've created a generic CSRF solution for Django, implemented as a > middleware. It does two things: > > 1) modifies outgoing requests by adding a hidden form field to all > 'POST' forms, with name 'csrfmiddlewaretoken' and a value which is a > hash of the session ID plus a secret (this is not done if there is no > session ID). > > 2) on all incoming POST requests that have the session cookie set, > require that the 'csrfmiddlewaretoken' is present and correct. > > To use it, > > 1) insert it in your list of middleware before the Sessions middleware > 2) add a setting CSRF_MIDDLEWARE_SECRET to your settings file which is > a string with a secret that is used for hashing. > > - and that's it! > > > There is already a ticket and patch for protecting Django's admin > against CSRF: > > http://code.djangoproject.com/ticket/510 > > This solution is different in a number of ways: > > 1) it is entirely middleware, requiring no changes to views/templates > > 2) it works with any Django app that uses the session framework > > 3) it post-processes your HTML to insert the input form field - > something that I feel fairly uncomfortable about in general, but I > think is acceptable in this case. > > 4) it doesn't have a timeout system like Simon's patch. But I don't > really know why you need a timeout, apart from extra paranoia. > > 5) it doesn't require any extra tables for storing tokens. > > Whether or not Simon's patch is accepted for the admin app, I think > this is a useful enough middleware to go into the repository, either > in core or contrib. I can create this as a ticket if you like, but I > thought it might be useful to other developers even if it isn't > included in Django. > > The source code is attached to this e-mail, criticisms welcome (I'm > pretty new to python, so I imagine there will be plenty to criticise!) > > Luke > > -- > "In my opinion, we don't devote nearly enough scientific research to > finding a cure for jerks." (Calvin and Hobbes) > > Luke Plant || L.Plant.98 (at) cantab.net || http://lukeplant.me.uk/ > > > -- [EMAIL PROTECTED] -- ++61-3-9877-0909 If everything seems under control, you're not going fast enough. - Mario Andretti
