#33529: Possibly Incorrect statement in the docs about CRSF tokens
------------------------------+--------------------------------------
Reporter: Michael | Owner: nobody
Type: Bug | Status: closed
Component: contrib.auth | Version: 4.0
Severity: Normal | Resolution: invalid
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------------------------
Comment (by Florian Apolloner):
Yeah this seems about right.
> I think instead of correcting the docs, the cookie first behaviour is
desired.
The admin doesn't use Javascript so it has to use the token from the DOM
to send along in the form submission which then is compared to the cookie
server side.
> However with the cookie first approach, why does one need the CSRF DOM
token ({% csrftoken %})?
The CSRF token needs to be part of the forms that your browser sends. Only
when you are using JS you have the option of fetching the token from
somewhere else.
--
Ticket URL: <https://code.djangoproject.com/ticket/33529#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/068.59466cc72e31781a46ec53077f8899d2%40djangoproject.com.
