Disabling CSRF is not working.

[Laxmikant Gurnalkar]

Hi, Guys

Disabling CSRF is not working.
These are my midlewares., Removed {% csrf_token %} all templates.

MIDDLEWARE_CLASSES = (
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
   # 'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
#    'django.contrib.messages.middleware.MessageMiddleware',
#    'django.middleware.csrf.CsrfResponseMiddleware',
#     'igp_acfs.acfs.disablecsrf.DisableCSRF', 
)


Also tried by writing disablecsrf.py like this :

class DisableCSRF(object):
    def process_request(self, request):
        """
        """
        setattr(request, '_dont_enforce_csrf_checks', True)


Thanks in Advance!!!

Laxmikant

[Bill Freeman]

I believe that I read somewhere that newer Djangos force the CSRF
middleware even if it's not listed in MIDDLEWARE_CLASSES.

You could dive into the middleware code to see how this happens, and
come up with a stable strategy to circumvent it. Or you could just
fix the necessary views and templates. There is, after all, a chance
that you will want to be able to upgrade this site without jumping
through hoops.

> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To post to this group, send email to django...@googlegroups.com.
> To unsubscribe from this group, send email to
> django-users...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-users?hl=en.

[Ian Clelland]

On Friday, October 5, 2012, Bill Freeman wrote:

I believe that I read somewhere that newer Djangos force the CSRF
middleware even if it's not listed in MIDDLEWARE_CLASSES.

You might be thinking of the CSRF context processor, which is always enabled, no matter what is in settings. Even the most recent docs don't say anything about forcing the middleware.  

--
Regards,
Ian Clelland
<clel...@gmail.com>

[Bill Freeman]

Right you are.

[Laxmikant Gurnalkar]

Thanks, for the response.

I had a problem like this

   I was trying to create a  storesite which can be worked without django framework but using django. i.e just static template index.html & a java-script file. With all the stuff dynamically generated & only urls by the django, so that anybody can use my index.html, just calls my server for the url to display dynamic content using users information. 

so for this purpose I had a cookies resided in my browser and I was trying to create database objecst using javascript with api urls.

When I studied CSRF in detail, I understood that, private dynamic  javascript cookies cannot be directly used to  retrieve or access the database related to your site. Hence, my javascript was considered by django as a malicious/attack content and thrown a 403 forbidden error. So I was trying to remove the CSRF from my project. But Failed. Due to the same reason as you guys have told me.

    So on understanding CSRF  just removed code of cookies & just added parameters to url just before when user refreshes the page. And whole thing worked.  That was the Great  experience.

anyways,

Plz tell me if I can hv any other method to do this. adding parameters to url is definitely not secure always.

One more thing I am using csrf_exempt to handle api views.

Thanks a lot again.

GlxGuru

[Kurtis Mullins]

Another solution would be to simply work with the CSRF Protection. It's not really that hard, even when using Javascript. There's even a good, simple example of using JQuery with it in the official documentation.

[Bill Freeman]

If you can't disable the middleware, you could consider marking the
view with the csrf_exempt decorator from django.views.decorators.csrf
(see https://docs/djangoproject.com/en/1.4/contrib/csrf/#utilities

Bill

On Sun, Oct 7, 2012 at 3:41 AM, Laxmikant Gurnalkar

[Laxmikant Gurnalkar]

Yeah, Thanks a lot. now I preferred to work with CSRF.