On Sep 22, 11:09 pm, Jan Oberst <[EMAIL PROTECTED]> wrote: > I'd protect all my forms if there's a neat way to do it. Why would it > only apply to logged-in users? I'm not using contrib.auth.
It doesn't need to only apply to contrib.auth logged in users, but it should only be used for forms which are behind some kind of cookie- based protection (auth is the most obvious example, but if you've rolled your own authentication scheme you should be able to use SafeForm as well). There's no point in protecting a form which anyone can use (e.g. a public "contact us" form) as the purpose of CSRF is for an attacker to force you to perform an authenticated action that you don't want to perform - deleting something from a CMS for example. If anyone can use the form in question the attacker can just go and submit it themselves. Cheers, Simon --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
