Hallöchen!
Carl Meyer writes:
> [...]
>
> Unless you've modified the CSRF implementation locally, all it
> does is check that the CSRF token provided in a cookie matches the
> one provided in the POST data. [...]
>
> But this means that the CSRF protection is simple to bypass in a
> case like yours: you can just set the CSRF cookie and the POST var
> to the same value in all your crawler's requests. It doesn't
> matter what that value is.
Thank you. I was ignorant about the details of this anti-CSRF
mechanism. It's working now, even for the login view itself.
Tschö,
Torsten.
--
Torsten Bronger Jabber ID: torsten.bronger@jabber.rwth-aachen.de
or http://bronger-jmp.appspot.com
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/87zjbf6khp.fsf%40physik.rwth-aachen.de.
For more options, visit https://groups.google.com/d/optout.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment