On Thu, Apr 28, 2016 at 12:16:10PM -0700, Stefano Tranquillini wrote: > it says "A CSRF cookie that is set to a random value (a session independent > nonce, as it is called)," and later "For security reasons, the value of > the CSRF cookie is changed each time a user logs in." > > The value is the same in the two tabs because i've not performed the login, > right? (and it reads the data from the cookie file)
That is mostly correct, but it's really more a matter of how browsers treat cookies – usually, in the same browser window, different tabs will use the same cookies when loading the same domain, unless one of those tabs is in “private” mode and the other is not, in which case they will be independent. But as I said, this depends on how the browser isolates tabs and/or windows from each other. > but from the first > sentence it seems that every time i refresh the page (so i open it in a new > tab) it should change (but if the value is in the cookie then it's not). No – the Django CSRF middleware will only set the CSRF token to a new value if there was no value provided in the request. That means, if it has already set the value of the CSRF cookie in this session, the same value will be reused until either the cookie expires, or you log in, in which case it will be reset by Django. Does this help clear things up a bit? Michal -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/20160428202145.GC435%40koniiiik.org. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: Digital signature
