On Thu, Apr 28, 2016 at 12:16:10PM -0700, Stefano Tranquillini wrote:
> it says "A CSRF cookie that is set to a random value (a session independent
> nonce, as it is called)," and later "For security reasons, the value of
> the CSRF cookie is changed each time a user logs in."
>
> The value is the same in the two tabs because i've not performed the login,
> right? (and it reads the data from the cookie file)
That is mostly correct, but it's really more a matter of how browsers
treat cookies – usually, in the same browser window, different tabs
will use the same cookies when loading the same domain, unless one of
those tabs is in "private" mode and the other is not, in which case
they will be independent. But as I said, this depends on how the
browser isolates tabs and/or windows from each other.
> but from the first
> sentence it seems that every time i refresh the page (so i open it in a new
> tab) it should change (but if the value is in the cookie then it's not).
No – the Django CSRF middleware will only set the CSRF token to a new
value if there was no value provided in the request. That means, if it
has already set the value of the CSRF cookie in this session, the same
value will be reused until either the cookie expires, or you log in,
in which case it will be reset by Django.
Does this help clear things up a bit?
Michal
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/20160428202145.GC435%40koniiiik.org.
For more options, visit https://groups.google.com/d/optout.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment