On 25-6-2012 15:20, Mike wrote:
>
>
> On Monday, June 25, 2012 3:06:28 PM UTC+2, Melvyn Sopacua wrote:
>>
>> On 25-6-2012 13:11, Mike wrote:
>>
>>> POST:<QueryDict: {u'{"user":"test_user","password":"test_password"}':
>>> [u'']}>,
>>
>> Wait a second...
>> Where's your csrfmiddlewaretoken from the {% csrf_token %} field that
>> you put in your form?
>>
>> This is the process:
>> - the cookie token is basically a lock
>> - the POST request resembles trying to open the door with that lock
>> - the formfield token is a key
>>
>> No key, no open door.
>> Wrong key, no open door.
>> --
>> Melvyn Sopacua
>>
>> Well, thats the thing, there *is* no {% csrf_token %} field in my form
> because I have no form.
Then you can't protect the form either, which is what CSRF is for. The
token in the form is different each time and behind the scenes
associated with your cookie token. So that form token is only valid for
that cookie and only valid once.
--
Melvyn Sopacua
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
