Is the next request to a CSRF protected view? The Django CSRF middleware will keep sending a cookie if so.
On Monday, September 23, 2013 6:01:09 AM UTC-7, Joao Da Silva wrote:
-- I think the best approach to handle varnish + csrf cookies is to ignore the CSRF on any request path that doesn't need it. In other words, just because it exists doesn't mean you should vary on it.
Likewise the session cookie doesn't even need to be passed along unless the response truly does vary on the user.
On Monday, September 23, 2013 6:01:09 AM UTC-7, Joao Da Silva wrote:
1Hi all
I am using varnish as a front end cache for a Django app. It all works well with regards to the VCL configuration. The issue i have is that after the user logs out the csrftoken cookie is not deleted and from then on the varnish has a MISS response instead of a HIT. After reading here on stackoverflow some related questions i have this logout view
def logout_view(request): response = render_to_response('registration/logout.html' , {}, context_instance=RequestContext (request)) if request.user.is_authenticated(): logout(request) if request.GET.get('next', False): response = HttpResponseRedirect(next) response.delete_cookie('sessionid' ) response.delete_cookie('csrftoken' ) return responseand this Response headers after user has hit the logout page
Response Headers Age:0 Cache-Control:max-age=600 Connection:keep-alive Content-Language:en Content-Type:text/html; charset=utf-8 Date:Mon, 23 Sep 2013 09:20:43 GMT Expires:Mon, 23 Sep 2013 09:30:43 GMT P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Server:nginx/1.4.1 Set-Cookie:sessionid=; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/ Set-Cookie:csrftoken=; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/ Transfer-Encoding:chunked Vary:Cookie, Accept-Language, Host Via:1.1 varnish X-Cache:MISS X-Varnish:1950616479default.vcl for completeness:
backend default { .host = "127.0.0.1"; .port = "8000"; } sub vcl_recv { set req.grace = 15s; if (req.http.Cookie) { set req.http.Cookie = regsuball(req.http.Cookie, "(^|; ) *__utm.=[^;]+;? *", "\1"); # removes all cookies named __utm? (utma, utmb...) - tracking thing } # unless sessionid/csrftoken is in the request, don't pass ANY cookies (referral_source, utm, etc) if (req.request == "GET" && (req.url ~ "^/static" || (req.http.cookie !~ "flash_sessionid" && req.http.cookie !~ "csrftoken"))) { remove req.http.Cookie; } # normalize accept-encoding to account for different browsers # see: https://www.varnish-cache.org/trac/wiki/ if (req.http.Accept-Encoding) { if (req.http.Accept-Encoding ~ "gzip") { set req.http.Accept-Encoding = "gzip"; } elsif (req.http.Accept-Encoding ~ "deflate") { set req.http.Accept-Encoding = "deflate"; } else { # unknown algorithm remove req.http.Accept-Encoding; } } } sub vcl_fetch { set beresp.ttl = 300s; set beresp.grace = 15s; # static files always cached if (req.url ~ "^/static") { unset beresp.http.set-cookie; return (deliver); } # pass through for anything with a session/csrftoken set if (beresp.http.set-cookie ~ "flash_sessionid" || beresp.http.set-cookie ~ "csrftoken") { return (hit_for_pass); } else { return (deliver); } } sub vcl_deliver { # Add a header to indicate a cache HIT/MISS if (obj.hits > 0) { set resp.http.X-Cache = "HIT"; } else { set resp.http.X-Cache = "MISS"; } return (deliver); }VCLExampleNormalizeAcceptEncod ing On the response headers i see Django setting the cookie value to a date in the past, however the csrftokencookie still persists on the next request.
I also tried to remove the 'django.middleware.csrf.
CsrfViewMiddleware' middleware but the cookie is still there. Any tips please Thanks
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
For more options, visit https://groups.google.com/groups/opt_out.
No comments:
Post a Comment