On Sep 23, 12:13 pm, oggy <[EMAIL PROTECTED]> wrote: > Could we just include something like a signed salt+timestamp > +REMOTE_ADDR in a hidden field? It's not exactly bulletproof because > of the possibility of a same-IP-CSRF (affecting people behind > proxies), but it's dead simple and doesn't require a lot of code > change: Form -> SafeForm + request as the first parameter to __init__. > Heck, I'd even trust sed to do it for me ;).
Timestamp and REMOTE_ADDR wouldn't make a proper token unless we also included the timestamp and REMOTE_ADDR as hidden fields -- the server needs to be able to *regenerate* the token when the form is submitted in order to validate the POSTed token. > Alternatively, since the only thing we need is to make sure that we're > dealing with the same user across multiple requests, we could also > provide some kind of a middleware that sets a sid-like cookie and > include that instead of the REMOTE_ADDR. The obvious downside would be > that you'd need to include it in settings.py. Yes, this is what Simon suggested -- if sessions are not being used, then send a cookie that is effectively a session ID, but only used for CSRF protection. I don't see why that requires any settings.py changes, though. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
