当我们发送csrftoken时,django中{% csrf_token %} - Cookie的用途是什么
在每份表格提交中。
<form method="post" action="actionFile/">
{% csrf_token %}
<button>Submit</button>
</form>
Django处理器总是要求{% csrf_token %}
我们是否必须在每种形式中放置{% csrf_token %},django处理器不能使用csrftoken - Cookie
{% csrf_token %}来防止伪造,但有什么用途?
请澄清。,。,
答案 0 :(得分:2)
Cross-site request forgery, also known as a one-click attack or session riding and
abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby
unauthorized commands are transmitted from a user that the website trusts.Unlike cross-
site scripting (XSS), which exploits the trust a user has for a particular site, CSRF
exploits the trust that a site has in a user's browser.
使用秘密Cookie
Remember that all cookies, even the secret ones, will be submitted with every request.
All authentication tokens will be submitted regardless of whether or not the end-user
was tricked into submitting the request. Furthermore, session identifiers are simply
used by the application container to associate the request with a specific session
object. The session identifier does not verify that the end-user intended to submit
the request.
仅接受POST请求
Applications can be developed to only accept POST requests for the execution of business
logic. The misconception is that since the attacker cannot construct a malicious link,
a CSRF attack cannot be executed. Unfortunately, this logic is incorrect. There are
numerous methods in which an attacker can trick a victim into submitting a forged POST
request, such as a simple form hosted in attacker's website with hidden values. This
form can be triggered automatically by JavaScript or can be triggered by the victim who
thinks form will do something else.
Django每次请求服务器时都会设置csrftoken cookie,当您将数据从客户端发布到服务器时,此令牌与该令牌匹配,如果它不匹配probs,如果不匹配,则会抛出错误,这是恶意请求。
如果您可以使用csrf_exempt装饰器来禁用特定视图的CSRF保护。
from django.views.decorators.csrf import csrf_exempt
然后在您的观看之前写下@csrf_exempt
答案 1 :(得分:0)
CSRF代表:跨站请求伪造
对于Web应用程序来说,这是一种非常强大的攻击。因此,不仅Django而且大多数其他框架(包括Ruby on Rails)都支持防止此攻击。
在Django中,通过发送“csrfmiddlewaretoken”作为POST数据来完成。然后Django将此标记的值与合法标记匹配。如果匹配请求已通过,其他 错误已提升。
{%csrf_token%}模板标记生成一个隐藏的输入字段,其中包含合法的CSRF令牌值。
所有处理和异常提升都在 CsrfViewMiddleware 中完成。 你可以在Django docs中找到更多相关信息(非常好看):https://docs.djangoproject.com/en/1.6/ref/contrib/csrf/