Django with custom authentication backends, is Csrf middleware really required ?

Question

Hello, Under Django 1.1.1, I am using several authentication backends such as social-registration for facebook connect and django-emailauth for email based authentication instead of user names.

I am curious if the Csrf middleware is an essential security measure as it seems like it sometimes generates problems, especially with facebook connect.

My project is rather simple. Each user have a profile which they can fill and a purchase page where they fill the payment for to do purchases. Either of these pages are protected via @login_required.

Answer 1

Well, it protects your site from already logged-in-but-fooled (in their browser) users. It would be better to rather have it turned on. login_required is irrelevant here.

As for the problems, yes, it can cause some. There are two ways to fix:

1. If you do ajax requests, django is smart enough to turn off protection based on HTTP headers, basically any request from any ajax library should go throught.

2. In cases where headers can't help you, put csrf_except decorator on your view.

Bottom line: use csrf on your money-views and disable it either way for facebook etc.

Answer 2

Typo on that last post. It's csrf_exempt, not csrf_except.