Re: Haven't enabled CSRF protection and yet server throws CSRF based 403

2010-06-07 Thread Filip Gruszczyński
> rather than disable it, why do you not use it? it's going to be there for a > long time, and although it is a bit tedious to enable it, it is worth doing > once and for all - remember that this is practically the only security hole > found in django after nearly 5 years of release. I guess we wi

Re: Haven't enabled CSRF protection and yet server throws CSRF based 403

2010-06-07 Thread Filip Gruszczyński
> I suspect you are using the contrib.auth login view. All contrib app views > use the csrf_protect decorator ("All contrib apps use a csrf_protect > decorator to protect the view. This requires the use of the csrf_token > template tag in the template. If you have used custom templates for contrib

Re: Haven't enabled CSRF protection and yet server throws CSRF based 403

2010-06-07 Thread Kenneth Gonsalves
On Monday 07 June 2010 18:00:53 Filip Gruszczyński wrote: > If you do not have any of the middleware in your MIDDLEWARE_CLASSES, > you will have a working installation but without any CSRF protection > for your views (just as you had before). It is strongly recommended to > install CsrfViewMiddlewa

Re: Haven't enabled CSRF protection and yet server throws CSRF based 403

2010-06-07 Thread Karen Tracey
2010/6/7 Filip Gruszczyński > Docs say: > > If you do not have any of the middleware in your MIDDLEWARE_CLASSES, > you will have a working installation but without any CSRF protection > for your views (just as you had before). It is strongly recommended to > install CsrfViewMiddleware and CsrfRes

Re: Haven't enabled CSRF protection and yet server throws CSRF based 403

2010-06-07 Thread Filip Gruszczyński
Docs say: If you do not have any of the middleware in your MIDDLEWARE_CLASSES, you will have a working installation but without any CSRF protection for your views (just as you had before). It is strongly recommended to install CsrfViewMiddleware and CsrfResponseMiddleware, as described above. So

Re: Haven't enabled CSRF protection and yet server throws CSRF based 403

2010-06-07 Thread Kenneth Gonsalves
On Monday 07 June 2010 17:53:46 Filip Gruszczyński wrote: > I have just upgraded to 1.2 and when I run ./manage runserver and > tried to open main page of our project first I was asked to login and > when I hit enter I got: > > Forbidden (403) > CSRF verification failed. Request aborted. > > I ha

Haven't enabled CSRF protection and yet server throws CSRF based 403

2010-06-07 Thread Filip Gruszczyński
I have just upgraded to 1.2 and when I run ./manage runserver and tried to open main page of our project first I was asked to login and when I hit enter I got: Forbidden (403) CSRF verification failed. Request aborted. I haven't turned CSRF protection when I was using 1.1.1, so my project should