Tons of false positives from Django's CSRF mid

2019-04-11 11:50发布

问题:

I'm getting tons of false positives from Django's contrib CSRF middleware. Just from normal use of the site there will be a lot of cases where the CSRF just starts blocking requests as suspected forgery attacks.

Does anyone else have issues like this? I'm using the SVN branch of Django so have the latest version of the CSRF middleware. How could I diagnose these issues?

Update: I see these false positives on my production and dev sites. They happen sporadically. My site uses sub-domains and there is a different dev/production version of the site that runs on different servers but is seperated by a sub-domain. What triggers CSRF attack warnings? Is it when a dev cookie gets sent to the production site? Would moving between sub-domains for the same logged in user cause problems?

回答1:

CSRF protection in Django is based on hidden field plus properly working session. If you use subdomains to differentiate these two sites, check if your settings.SESSION_COOKIE_DOMAIN is set properly to handle your case.