Re: Logging Out with POST by Default?
702 views
Skip to first unread message
Carl Meyer
Sep 20, 2012, 2:03:03 PM9/20/12
to django-d...@googlegroups.com
On 09/20/2012 11:52 AM, Adam Taylor wrote:
> I recently read the Coding Horror article Cross-Site Request Forgeries
> and You
> <http://www.codinghorror.com/blog/2008/09/cross-site-request-forgeries-and-you.html>,
> which suggests requiring an HTTP POST form submission for logging out.
> This same suggestion is implied in the Django book (chapter 16's "A
> Simple CSRF Example" section
> <http://www.djangobook.com/en/2.0/chapter16/#cn160>). Then I found
> Django ticket #7989 Logout view should require POST request
> <https://code.djangoproject.com/ticket/7989>. I think that the "secure
> by default" mentality should be applied here, just like how variables
> are escaped by default in templates (you have to explicitly say that you
> /don't/ want them escaped).
FWIW I agree, and I think #7989 should be reopened. I do logout-via-POST
on all my projects nowadays to avoid logout CSRF, and it's really quite
simple. You can easily style a form button to look however you want
(including just like a link), so there's really no negative impact
besides slightly more markup in the template.
The only irritating bit is that the Django admin implements its own
logout via GET, so you have to subclass AdminSite to fix that if you're
using the admin.
Carl
> I recently read the Coding Horror article Cross-Site Request Forgeries
> and You
> <http://www.codinghorror.com/blog/2008/09/cross-site-request-forgeries-and-you.html>,
> which suggests requiring an HTTP POST form submission for logging out.
> This same suggestion is implied in the Django book (chapter 16's "A
> Simple CSRF Example" section
> <http://www.djangobook.com/en/2.0/chapter16/#cn160>). Then I found
> Django ticket #7989 Logout view should require POST request
> <https://code.djangoproject.com/ticket/7989>. I think that the "secure
> by default" mentality should be applied here, just like how variables
> are escaped by default in templates (you have to explicitly say that you
> /don't/ want them escaped).
FWIW I agree, and I think #7989 should be reopened. I do logout-via-POST
on all my projects nowadays to avoid logout CSRF, and it's really quite
simple. You can easily style a form button to look however you want
(including just like a link), so there's really no negative impact
besides slightly more markup in the template.
The only irritating bit is that the Django admin implements its own
logout via GET, so you have to subclass AdminSite to fix that if you're
using the admin.
Carl
Aymeric Augustin
Sep 21, 2012, 9:56:50 AM9/21/12
to django-d...@googlegroups.com
Le 20 sept. 2012 à 20:03, Carl Meyer <ca...@oddbird.net> a écrit :
> FWIW I agree, and I think #7989 should be reopened. I do logout-via-POST
> on all my projects nowadays to avoid logout CSRF, and it's really quite
> simple. You can easily style a form button to look however you want
> (including just like a link), so there's really no negative impact
> besides slightly more markup in the template.
I'm also in favor of reconsidering #7989, because Django has become a widely-used, general-purpose framework, and it has a responsibility to promote good practices.
> FWIW I agree, and I think #7989 should be reopened. I do logout-via-POST
> on all my projects nowadays to avoid logout CSRF, and it's really quite
> simple. You can easily style a form button to look however you want
> (including just like a link), so there's really no negative impact
> besides slightly more markup in the template.
For instance, readthedocs.org simply uses django.contrib.auth by the book [1], and thus is vulnerable to logout XSRF. (Disqus and Pinterest aren't vulnerable and RTD.org is the next site that crossed my mind — I'm not picking on RTD.org in any way.)
Django should provide as much built-in security as possible, especially for low-budget sites that can't afford security consultants.
> The only irritating bit is that the Django admin implements its own
> logout via GET, so you have to subclass AdminSite to fix that if you're
> using the admin.
--
Aymeric.
[1] https://docs.djangoproject.com/en/dev/topics/auth/ says:
> For example, using the defaults, add the following line to your URLconf:
> (r'^accounts/login/$', 'django.contrib.auth.views.login'),
Paul McMillan
Sep 21, 2012, 8:53:28 PM9/21/12
to django-d...@googlegroups.com
That's the same ticket as this one, which is more recent and has been
open for longer...
https://code.djangoproject.com/ticket/15619
FWIW, I agree we need to fix this.
> --
> You received this message because you are subscribed to the Google Groups "Django developers" group.
> To post to this group, send email to django-d...@googlegroups.com.
> To unsubscribe from this group, send email to django-develop...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
>
open for longer...
https://code.djangoproject.com/ticket/15619
FWIW, I agree we need to fix this.
> You received this message because you are subscribed to the Google Groups "Django developers" group.
> To post to this group, send email to django-d...@googlegroups.com.
> To unsubscribe from this group, send email to django-develop...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
>
Reply all
Reply to author
Forward
0 new messages