Re: [Django] #9977: CSRFMiddleware needs template tag

[Django]

#9977: CSRFMiddleware needs template tag
---------------------------------------------+------------------------------
          Reporter:  bthomas                 |         Owner:  lukeplant
            Status:  assigned                |     Milestone:           
         Component:  HTTP handling           |       Version:  SVN      
        Resolution:                          |      Keywords:  csrf     
             Stage:  Design decision needed  |     Has_patch:  1        
        Needs_docs:  1                       |   Needs_tests:  0        
Needs_better_patch:  1                       |  
---------------------------------------------+------------------------------
Comment (by Glenn):

 Updated patch:

  - Remove _make_token and use the CSRF cookie directly as the token.
  - Don't uniquify the CSRF cookie based on the session cookie name.  This
 was needed when the CSRF token was hashed based on the site's secret key,
 but since it no longer is, it should be perfectly fine for all sites
 sharing cookies to share a CSRF token.
  - Added settings.CSRF_COOKIE_NAME and CSRF_COOKIE_DOMAIN for the CSRF
 cookie.
  - Updated docs and tests.  The previous two cookie settings,
 SESSION_COOKIE_NAME and LANGUAGE_COOKIE_NAME reference each other
 explicitly ("should be different from..."), but I didn't update that;
 having every cookie setting listing every other cookie setting doesn't
 seem like a good approach.  Maybe they should say "different from other
 COOKIE_NAME settings".
  - Tweaked the CSRF view error text; don't accuse hapless users of
 forgery.  (Of course, it's actually accusing some third party website of
 forgery, but most users wouldn't know that.)

 I didn't add a CSRF_COOKIE_PATH setting.  The rationale in the
 SESSION_COOKIE_PATH documentation (having separate sessions in different
 Django instances) doesn't apply here: it's perfectly OK for unrelated
 Django instances to pick up and reuse each other's authentication tokens
 if they're visible.  We can add it if someone actually wants it.

-- 
Ticket URL: <http://code.djangoproject.com/ticket/9977#comment:41>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---