[Answered ]-Does both csrftoken cookie AND csrf_token INPUT type required in django

2👍

Cross-site request forgery :

Cross-site request forgery, also known as a one-click attack or session riding and
abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby  
unauthorized commands are transmitted from a user that the website trusts.Unlike cross-
site scripting (XSS), which exploits the trust a user has for a particular site, CSRF 
exploits the trust that a site has in a user's browser.

Using a secret cookie

Remember that all cookies, even the secret ones, will be submitted with every request.
All authentication tokens will be submitted regardless of whether or not the end-user 
was tricked into submitting the request. Furthermore, session identifiers are simply
used by the application container to associate the request with a specific session 
object. The session identifier does not verify that the end-user intended to submit
the request.

Only accepting POST requests

Applications can be developed to only accept POST requests for the execution of business 
logic. The misconception is that since the attacker cannot construct a malicious link,
a CSRF attack cannot be executed. Unfortunately, this logic is incorrect. There are
numerous methods in which an attacker can trick a victim into submitting a forged POST
request, such as a simple form hosted in attacker's website with hidden values. This 
form can be triggered automatically by JavaScript or can be triggered by the victim who
thinks form will do something else.

Reference link

Django sets the csrftoken cookie every time when you request the server, and when you post the data from client to server this token matches that token, If it matches no probs and if not matches it throws an error it is malicious request.

If You can use the csrf_exempt decorator to disable CSRF protection for a particular view.

from django.views.decorators.csrf import csrf_exempt

then write @csrf_exempt before your view

👤dhana

0👍

CSRF stands for : Cross Site Request Forgery

It is a very common kind of Attack when it comes to Web Application. So not only Django but most other Frameworks including Ruby on Rails provide support to prevent this Attack.

In Django is is done by sending in “csrfmiddlewaretoken” as POST Data. Django then Matches the value of this token with the Legitimate one. If it matches Request passed, else Error is Raised.

{% csrf_token %} template tag generates a hidden input field with Legitimate CSRF token value.

All the handling and exception raising is done in CsrfViewMiddleware.
You can find more info about this in Django docs (pretty well expalained) : https://docs.djangoproject.com/en/1.6/ref/contrib/csrf/

Leave a comment