python - does both csrftoken cookie AND csrf_token INPUT type required in django -

-

what use of csrftoken-cookie in django when have send {% csrf_token %} in every form submission .

<form method="post" action="actionfile/"> {% csrf_token %}  <button>submit</button>  </form>

the django processor allways asks {% csrf_token %}

do have put {% csrf_token %} in every form , can't django processor utilize csrftoken-cookie

{% csrf_token %} might required prevent forgery use of cookie

please clarify.,.,

cross-site request forgery :

cross-site request forgery, known one-click attack or session riding , abbreviated csrf or xsrf, type of malicious exploit of website whereby   unauthorized commands transmitted user website trusts.unlike cross- site scripting (xss), exploits trust user has particular site, csrf  exploits trust site has in user's browser.

using secret cookie

remember cookies, secret ones, submitted every request. authentication tokens submitted regardless of whether or not end-user  tricked submitting request. furthermore, session identifiers used application container associate request specific session  object. session identifier not verify end-user intended submit request.

only accepting post requests

applications can developed accept post requests execution of business  logic. misconception since attacker cannot construct malicious link, csrf attack cannot executed. unfortunately, logic incorrect. there numerous methods in attacker can trick victim submitting forged post request, such simple form hosted in attacker's website hidden values.  form can triggered automatically javascript or can triggered victim thinks form else.

reference link

django sets csrftoken cookie every time when request server, , when post data client server token matches token, if matches no probs , if not matches throws error malicious request.

if can use csrf_exempt decorator disable csrf protection particular view.

from django.views.decorators.csrf import csrf_exempt

then write @csrf_exempt before view


Comments

Post a Comment

Popular posts from this blog

c++ - OpenCV Error: Assertion failed <scn == 3 ::scn == 4> in unknown function, -

-
i read alot other solution still confused should mine... #include <opencv2/objdetect/objdetect.hpp> #include <opencv2/highgui/highgui.hpp> #include <opencv2/imgproc/imgproc.hpp> #include <iostream> #include <stdio.h> using namespace std; using namespace cv; int main(int argc, const char** argv) { //create cascade classifier object used face detection cascadeclassifier face_cascade; //use haarcascade_frontalface_alt.xml library face_cascade.load("haarcascade_frontalface_alt.xml"); //setup video capture device , link first capture device videocapture capturedevice; capturedevice.open(0); //setup image files used in capture process mat captureframe; mat grayscaleframe; //create window present results namedwindow("outputcapture", 1); //create loop capture , find faces while (true) { //capture new image frame capturedevice >> captureframe; ...
Read more

php - render data via PDO::FETCH_FUNC vs loop -

-
i've been using 2 methods render data. the first one: function name($id,$name){ return '<div id="'.$id.'">'.$name.'</div>'; } echo implode($pdo->query("select id,name user")->fetchall(pdo::fetch_func,'name')); the second one: $users = $pdo->query("select id,name user")->fetchall(pdo::fetch_obj); foreach($users $user){ echo name($user->id,$user->name); } i don't understand how pdo::fetch_func works. tried figure out. however, not well-documented. could please explain fetch mode? , also, 1 performs better? thank you. both methods wrong , have learn how use templates , how separate business logic presentation logic. $users = $pdo->query("select id,name user")->fetchall(pdo::fetch_obj); tpl::assign('users', $users); is code business logic part. then in template <?php foreach $users $row): ?> <div id="<?=$...
Read more

The canvas has been tainted by cross-origin data in chrome only -

-
uncaught securityerror: failed execute 'getimagedata' on 'canvasrenderingcontext2d': canvas has been tainted cross-origin data i getting above error in chrome. code(following) works fine in mozilla. have not corss domain issue. why above error in chrome? var wheel_canvas, wheel_context, can_w, can_h, wheel_grd; var large_radius = 160; var small_radius = 120; var wheel_canvas = document.getelementbyid('wheel_canvas'); var wheel_context = wheel_canvas.getcontext('2d'); var can_w = $(wheel_canvas).width(); var can_h = $(wheel_canvas).height(); var centerx = can_w / 2, centery = can_h / 2; var wheel_grd = null; test('#ff0000'); function test(hex) { $('#clrpicker').css({'left': 210, 'top': 210 }); inverted = hexbw(hex); $('#color_val_show').val(hex); current_color_hex_val_selected = hex; $('#color_val_show').css({'color':inverted,'background':hex}); fillgradient...
Read more