SESSION_COOKIE_HTTPONLY
with session cookie, but for the csrf one?
http://stackoverflow.com/questions/10861784/django-csrf-cookie-httponly
I tried the second method and it works wonderfully, thanks! Just added the middleware before csrf (obvious but it took me a while as I put it after) and put CSRF_COOKIE_NAME in settings and that's all. – Mark Jun 2 at 21:08
Currently there is not setting option for this.
You could override the
process_response()
method ofdjango.middleware.csrf.CsrfViewMiddleware
and using the customized one instead ofCsrfViewMiddleware
in MIDDLEWARE_CLASSES
class Foo(CsrfViewMiddleware):
def process_response(self, request, response):
response = super(CsrfViewMiddleware, self).process_response(request, response)
response.cookies[settings.CSRF_COOKIE_NAME]['httponly'] = True
return response
Or in another middleware which is invoked after
CsrfViewMiddleware
in responseclass Foo(object):
def process_response(self, request, response):
if settings.CSRF_COOKIE_NAME in response.cookies:
response.cookies[settings.CSRF_COOKIE_NAME]['httponly'] = True
return response
I'm not going to categorize as a bug, because over HTTPS we also have strict referer checking for CSRF protection, so leaking of the token is not a critical issue.
http://eli.thegreenplace.net/2011/06/24/django-sessions-part-i-cookies/
http://coffeeonthekeyboard.com/tag/django-nyc-security/page/2/
a-custom-login-page/
http://solutoire.com/2009/02/26/django-series-1-a-custom-login-page/
http://www.alandelevie.com/2008/12/14/a-simple-introduction-to-django-forms/
template-response/
https://docs.djangoproject.com/en/dev/ref/template-response/
https://docs.djangoproject.com/en/dev/ref/templates/api/#django.template.Context
https://docs.djangoproject.com/en/dev/ref/templates/api/#django.template.RequestContext
http://stackoverflow.com/questions/5037505/web-application-best-way-to-handle-state
I have some crud pages for which I have to store some state information, like current page, records per page, current order, filter conditions, and sometimes way more information...
I'd like to use friendly urls similar to rest style, something like http://microformats.org/wiki/rest/urls (GET for browsing, POST to add, PUT to edit, DELETE to remove)
The problem with cookies is that if I open several tabs, all of them would share the same cookies, it's the same with the session because the session id is stored in a cookie
if I try to keep those params in the url (something like GET /clients?page=1&len=10&sort=name&filter=smith) as soon as I issue a POST I loose those values
the other solution would be to store the state on hidden inputs, and to always issue posts carrying around those hidden inputs, but in that case I can't use GET for queries...
so, how do you handle web presentation state???