ansaurus

Question

Django CSRF framework cannot be disabled and is breaking my site

Answer 1

+3 A:

Hank Gay 2009-10-30 16:45:51

Thanks for the info, you didn't tell me how to disable CSRF completely, I have a production site which has stopped working for paying customers because I was blindsided by this "new" way of doing things that is not backwards compatible. But this is the issue that is causing the problem, I'm working on quickly updating to the new/legacy way.

MikeN 2009-10-30 17:08:12

Here's some of the discussion from the developers' mailing list: http://groups.google.com/group/django-developers/browse_thread/thread/ac771d10d58340cbMaybe that will help with the disabling/updating.

Hank Gay 2009-10-30 17:47:12

There is a view decorator to use: @csrf_exempt, if you put this decorator the CSRF framework will ignore its checking for that request. I'm stil pissed at how this CSRF trap was sprung, it is baked into the auth framework so you can't disable it if you use auth for sign-in.

MikeN 2009-10-30 18:05:58

The new version has only just landed in the development trunk. You shouldn't be using development code for a production site - or if you do you should be aware of what all the changes are before you update.

Daniel Roseman 2009-10-30 20:21:24

In his defense, tracking `trunk` was the recommended way to run Django for quite a while. Even though that has changed, I'm sure there are plenty of people who still do it.

Hank Gay 2009-10-31 02:13:06

Yes! I'm going to start using a stable version of Django. I've been running a production money generating site off the dev. branch from before version 1.0 was released. Django is an amazing project, but this is the first time I've gotten burned by using the trunk.

MikeN 2009-11-02 14:49:19

Answer 2

+2 A:

I feel your pain. It's not acceptable for a framework to change such fundamental functionality. Even if I want to start using this from now on, I have legacy sites on the same machine sharing a copy of django. Changes like this should require major version number revisions. 1.x --> 2.x.

Anyway, to fix it I just commented it out and have stopped updating Django as often.

File: django/middleware/csrf.py Around line 160:

            # check incoming token
#            request_csrf_token = request.POST.get('csrfmiddlewaretoken', None)
#            if request_csrf_token != csrf_token:
#                if cookie_is_new:
#                    # probably a problem setting the CSRF cookie
#                    return reject("CSRF cookie not set.")
#                else:
#                    return reject("CSRF token missing or incorrect.")

Aaron 2010-03-12 10:43:10

Answer 3

A:

checkout this one http://hi.baidu.com/ledzep2/blog/item/e6b1612e21884c5c4ec2267a.html

Rus 2010-05-24 12:56:27

Answer 4

+4 A:

Yes, Django csrf framework can be disabled.

To manually exclude a view function from being handled by any CSRF middleware, you can use the csrf_exempt decorator, found in the django.views.decorators.csrf module. For example:

from django.views.decorators.csrf import csrf_exempt
@csrf_exempt
def my_view:
return Httpresponse("hello world")

..and then remove {% csrf_token %} inside the forms from your template,or leave other things unchanged if you have not included it in your forms.

Adriot 2010-07-08 07:48:48

+1 much better to use the prescribed method to turn it off selectively, rather than turning it off everywhere!

Seth 2010-07-19 20:01:37

Great answer, it needs more upvotes

GDR 2010-10-21 11:44:22

ansaurus

tags:

views:

answers:

Django CSRF framework cannot be disabled and is breaking my site

related questions