should I use @csrf_protect in my django logout view along with the middleware

Question

I have a custom logout view .I have added the decorators like below

from django.views.decorators.cache import never_cache
from django.views.decorators.csrf import csrf_protect
from django.views.decorators.http import require_POST
from django.contrib.auth.views import logout_then_login

@csrf_protect
@require_POST
@never_cache
def logout(request):
    nxt=request.POST.get('next')
    print 'next=',nxt
    return logout_then_login(request, nxt)

In my settings file I have the following middleware classes

MIDDLEWARE_CLASSES = (
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
)

Since the CsrfViewMiddleware is included here,do I really need the @csrf_protect for my view?If I use both,will there be some problem/conflict?

As an aside,when I checked the django source,I found that the decorators are applied only for the login view and not for any of the logout,login_then_logout views.Why is that?

Any help most welcome

Answer 1

The Middleware gives you blanket protection on all views - adding the decorator is redundant. The Django docs recommend using the Middleware over the decorator as it provides better protection.

Use of the decorator by itself is not recommended, since if you forget to use it, you will have a security hole. The 'belt and braces' strategy of using both is fine, and will incur minimal overhead.

The decorators aren't used for the views you mentioned because there is little to no risk of a session being hijacked via CSRF if a login_then_logout event is triggered and there is no security risk to a user once a session has been destroyed.

You seem to have a lot of questions regarding CSRF - might I suggest you bone up on Django's CSRF documentation and CSRF in general?