tags:

views:

1929

answers:

4

The django csrf middleware can't be disabled. I've commented it out from my Middleware of my project but my logins are failing due to missing CSRF issues. I'm working from the Django trunk. How can CSRF cause issues if it is not enabled in middleware?

I have to disable it because there are lots of POST requests on my site that CSRF just breaks. Any feedback on how I can completely disable CSRF in a django trunk project?

The "new' CSRF framework from Django's trunk is also breaking an external site that is coming in and doing a POST on a URL I'm giving them (this is part of a restful API.) I can't disable the CSRF framework as I said earlier, how can I fix this?

+3  A: 
Hank Gay
Thanks for the info, you didn't tell me how to disable CSRF completely, I have a production site which has stopped working for paying customers because I was blindsided by this "new" way of doing things that is not backwards compatible. But this is the issue that is causing the problem, I'm working on quickly updating to the new/legacy way.
MikeN
Here's some of the discussion from the developers' mailing list: http://groups.google.com/group/django-developers/browse_thread/thread/ac771d10d58340cbMaybe that will help with the disabling/updating.
Hank Gay
There is a view decorator to use: @csrf_exempt, if you put this decorator the CSRF framework will ignore its checking for that request. I'm stil pissed at how this CSRF trap was sprung, it is baked into the auth framework so you can't disable it if you use auth for sign-in.
MikeN
The new version has only just landed in the development trunk. You shouldn't be using development code for a production site - or if you do you should be aware of what all the changes are before you update.
Daniel Roseman
In his defense, tracking `trunk` was the recommended way to run Django for quite a while. Even though that has changed, I'm sure there are plenty of people who still do it.
Hank Gay
Yes! I'm going to start using a stable version of Django. I've been running a production money generating site off the dev. branch from before version 1.0 was released. Django is an amazing project, but this is the first time I've gotten burned by using the trunk.
MikeN
+2  A: 

I feel your pain. It's not acceptable for a framework to change such fundamental functionality. Even if I want to start using this from now on, I have legacy sites on the same machine sharing a copy of django. Changes like this should require major version number revisions. 1.x --> 2.x.

Anyway, to fix it I just commented it out and have stopped updating Django as often.

File: django/middleware/csrf.py Around line 160:

            # check incoming token
#            request_csrf_token = request.POST.get('csrfmiddlewaretoken', None)
#            if request_csrf_token != csrf_token:
#                if cookie_is_new:
#                    # probably a problem setting the CSRF cookie
#                    return reject("CSRF cookie not set.")
#                else:
#                    return reject("CSRF token missing or incorrect.")
Aaron
A: 

checkout this one http://hi.baidu.com/ledzep2/blog/item/e6b1612e21884c5c4ec2267a.html

Rus
+4  A: 

Yes, Django csrf framework can be disabled.

To manually exclude a view function from being handled by any CSRF middleware, you can use the csrf_exempt decorator, found in the django.views.decorators.csrf module. For example:

from django.views.decorators.csrf import csrf_exempt
@csrf_exempt
def my_view:
return Httpresponse("hello world")

..and then remove {% csrf_token %} inside the forms from your template,or leave other things unchanged if you have not included it in your forms.

Adriot
+1 much better to use the prescribed method to turn it off selectively, rather than turning it off everywhere!
Seth
Great answer, it needs more upvotes
GDR