Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is the {% csrf_token %} CSRF protection tag still necessary in Django 1.2?

Tags:

django

csrf

I am testing the CSRF protection on my site and I have noticed something unexpected.

I removed {% csrf_token %} from my form and the submission still works. I couldn't work out why. I then looked at the source and realised the token was still there right next to the <form> element. I changed the ID of the form to make sure it was definitely updating the source and it was but the hidden input is still there.

I am using Django 1.2. Is {% csrf_token %} still necessary?

Cheers

Rich

like image 899
Rich Avatar asked Dec 01 '10 09:12

Rich


2 Answers

After more investigation it appears the {% csrf_token %} is always inserted if the form has method post and not if it doesn't. Very clever auto protection from Django.

like image 118
Rich Avatar answered Sep 27 '22 17:09

Rich


From the documentation:

In Django 1.1, the template tag did not exist. Instead, a post-processing middleware that re-wrote POST forms to include the CSRF token was used. If you are upgrading a site from version 1.1 or earlier, please read this section and the Upgrading notes below.

http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#legacy-method

like image 29
Josh Smeaton Avatar answered Sep 27 '22 16:09

Josh Smeaton