On 10/1/2022 4:56 am, Al Go wrote:
PS: I tried asking on #django, but kept getting the following error with the in browser liberia irc client: "Cannot join channel (+r) - you need to be logged into your NickServ account"
You need to login on IRC, the channel set that rules (as normally to fight bots)
+r means you won’t be able to join it unless you are registered and identified to NickServ. You can follow steps on https://libera.chat/guides/registration for registration
Inspect element in http://127.0.0.1:8000/_accounts/settings/ (when running the testproject) shows two identical hidden input fields with name="csrfmiddlewaretoken". They seem to be generated by two occurrences of {% csrf_token %}:
CSRF middleware is activated by default
Should/could the first occurrence above be removed? I'm guessing this would NOT cause any actual bug either way,
If your form POST target are external website/url , then it should be removed because it cause leak of CSRF token which consider as vulnerability issue.
If you form target are internal, you can remove it but it better to keep it as defense against unsafe CSRF attack
read https://docs.djangoproject.com/en/4.0/ref/csrf/ for more information if you might find something
regarding having more than 1 csrf token, it looks wrong. Should only have 1 token per form like example https://paste.debian.net/plain/1226800 as what I understand we only should send a single CSRF token in the HTTP header.
Does you get any exception when submit the form that have 2 csrf token? -- Regards Robbi Nespu PGP: D311 B5FF EEE6 0BE8 9C91 FA9E 0C81 FA30 3B3A 80BA -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/4adce4df-ddde-bd13-4f10-76fb68eab46c%40gmail.com.
OpenPGP_0x0C81FA303B3A80BA.asc
Description: OpenPGP public key
