Hi Wim,
On 16/07/15 16:51, Wim Feijen wrote:
Hi,
We are experiencing the same problem when a user changes his language.
We are using a post form for that, see: https://roominreturn.nl .
1. What is annoying is that the csrf Forbidden page is a yellow page and
is shown to the end user. We would
Hi,
We are experiencing the same problem when a user changes his language. We
are using a post form for that, see: https://roominreturn.nl .
1. What is annoying is that the csrf Forbidden page is a yellow page and is
shown to the end user. We would never want to confront a visitor with a
yell
I was not aware of that kind of attack. It's pretty clever.
Thanks for the info and the workaround JS.
On Wednesday, July 1, 2015 at 4:29:32 PM UTC-7, Collin Anderson wrote:
>
> Hi,
>
> This is the best reason I could find:
>
> http://security.stackexchange.com/questions/62769/must-login-and-logo
Hi,
This is the best reason I could find:
http://security.stackexchange.com/questions/62769/must-login-and-logout-action-have-csrf-protection
One thing that's going on here is that the csrftoken changes every time
someone logs in, so the old login page now has a stale token. The changing
csrf t
Is there a reason django.contrib.auth.views.login should be decorated
with csrf_protect? It results in annoying behavior, in the following
scenario:
In a browser window (Window1), go to the login page.
In another browser window (Window2), go to the login page, and actually
login, then logout.
B
