django-session-csrf is an alternative implementation of Django's CSRF
protection that does not use cookies. Instead, it maintains the CSRF token on
the server using Django's session backend. The csrf token must still be
included in all POST requests (either with csrfmiddlewaretoken in the form or
with the X-CSRFTOKEN header).
From PyPI::
pip install django-session-csrf
From github::
git clone git://github.com/mozilla/django-session-csrf.git
Replace django.core.context_processors.csrf with
session_csrf.context_processor in your TEMPLATE_CONTEXT_PROCESSORS::
TEMPLATE_CONTEXT_PROCESSORS = (
...
'session_csrf.context_processor',
...
)
Replace django.middleware.csrf.CsrfViewMiddleware with
session_csrf.CsrfMiddleware in your MIDDLEWARE_CLASSES
and make sure it is listed after the AuthenticationMiddleware::
MIDDLEWARE_CLASSES = (
...
'django.contrib.auth.middleware.AuthenticationMiddleware',
...
'session_csrf.CsrfMiddleware',
...
)
Then we have to monkeypatch Django to fix the @csrf_protect decorator::
import session_csrf
session_csrf.monkeypatch()
Make sure that's in something like your root urls.py so the patch gets
applied before your views are imported.
django-session-csrf does not assign CSRF tokens to anonymous users because
we don't want to support a session for every anonymous user. Instead, views
that need anonymous forms can be decorated with @anonymous_csrf::
from session_csrf import anonymous_csrf
@anonymous_csrf
def login(request):
...
anonymous_csrf uses the cache to give anonymous users a lightweight
session. It sends a cookie to uniquely identify the user and stores the CSRF
token in the cache. It can be controlled through these settings:
``ANON_COOKIE``
the name used for the anonymous user's cookie
Default: ``anoncsrf``
``ANON_TIMEOUT``
the cache timeout (in seconds) to use for the anonymous CSRF tokens
Default: ``60 * 60 * 2 # 2 hours``
Note that by default Django uses local-memory caching, which will not
work with anonymous CSRF if there is more than one web server thread.
To use anonymous CSRF, you must configure a cache that's shared
between web server instances, such as Memcached. See the Django cache documentation <https://docs.djangoproject.com/en/dev/topics/cache/>_
for more information.
If you only want a view to have CSRF protection for logged-in users, you can
use the anonymous_csrf_exempt decorator. This could be useful if the
anonymous view is protected through a CAPTCHA, for example.
::
from session_csrf import anonymous_csrf_exempt
@anonymous_csrf_exempt
def protected_in_another_way(request):
...
If you want all views to have CSRF protection for anonymous users, use the following setting:
``ANON_ALWAYS``
always provide CSRF protection for anonymous users
Default: False
FAQs
CSRF protection for Django without cookies.
We found that django-session-csrf demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Socket uncovered npm malware campaign mimicking popular Node.js libraries and packages from other ecosystems; packages steal data and execute remote code.
Research
Socket's research uncovers three dangerous Go modules that contain obfuscated disk-wiping malware, threatening complete data loss.
Research
Socket uncovers malicious packages on PyPI using Gmail's SMTP protocol for command and control (C2) to exfiltrate data and execute commands.