Python django中是否需要csrftoken cookie和csrf_令牌输入类型
当我们必须发送Python django中是否需要csrftoken cookie和csrf_令牌输入类型,python,django,cookies,Python,Django,Cookies,当我们必须发送{%csrf\u token%} 以各种形式提交 <form method="post" action="actionFile/"> {% csrf_token %} <button>Submit</button> </form> {%csrf_令牌%} 提交 Django处理器总是要求{%csrf\u令牌%} 我们必须把{%csrf\u token%}放在每种形式中吗,django处理器不能利用csrftoken-cook
{%csrf\u token%}<form method="post" action="actionFile/">
{% csrf_token %}
<button>Submit</button>
</form>
{%csrf_令牌%}
提交
{%csrf\u令牌%}{%csrf\u token%}csrftoken{%csrf\u token%}Remember that all cookies, even the secret ones, will be submitted with every request.
All authentication tokens will be submitted regardless of whether or not the end-user
was tricked into submitting the request. Furthermore, session identifiers are simply
used by the application container to associate the request with a specific session
object. The session identifier does not verify that the end-user intended to submit
the request.
Applications can be developed to only accept POST requests for the execution of business
logic. The misconception is that since the attacker cannot construct a malicious link,
a CSRF attack cannot be executed. Unfortunately, this logic is incorrect. There are
numerous methods in which an attacker can trick a victim into submitting a forged POST
request, such as a simple form hosted in attacker's website with hidden values. This
form can be triggered automatically by JavaScript or can be triggered by the victim who
thinks form will do something else.
from django.views.decorators.csrf import csrf_exempt
然后在查看前写下csrf豁免csrf代表:跨站点请求伪造 对于Web应用程序,这是一种非常常见的攻击。因此,不仅Django,而且包括RubyonRails在内的大多数其他框架都支持防止这种攻击 在Django中,通过将“csrfmiddlewaretoken”作为POST数据发送来完成。Django然后将该令牌的值与合法令牌匹配。如果它与通过的请求相匹配,则会引发其他错误 {%csrf_token%}模板标记生成具有合法csrf token值的隐藏输入字段 所有处理和异常引发都在CsrfViewMiddleware中完成。 你可以在Django文档中找到更多关于这方面的信息(解释得很清楚):
from django.views.decorators.csrf import csrf_exempt