Home/ Questions/Q 7714013
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T02:01:01+00:00

while reading up djangobook chapter ,I came across the section which mentions a csrf

  • 0

while reading up djangobook chapter ,I came across the section which mentions a csrf exploit where a logout link was put in a hidden of malicious site.

In a web app I created using django,I had used a similar logout link

base.html:

<a  href="{% url my_logout %}" > Logout </a>

where the my_logout url points to django.contrib.auth.views.logout_then_login

urlpatterns=patterns('django.contrib.auth.views',
url(r'^logout/$', 'logout_then_login', {}, name = 'my_logout'),
)

Now,after reading about csrf attack,I fear that a malicious site can cause trouble for me too.So,I would like to use a form to do the logging out.

I thought I could do like this

base.html:

    ...

    <form method="post" action=".">{% csrf_token %}
        <input type="hidden" name="next" value="{{next}}" />
        <input type="hidden" name="confirm" value="true" />
        <input type="submit" value="Logout" />
    </form>
...

Now,how should I write the view for processing this form?If I am to process the hidden variables(confirm to check whether logout should be done and next to go to the previous view) ,will I still be able to use the django.contrib.auth.views.logout_then_login method?

can someone please tell me if I am doing this the right way?

thanks in advance

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You could wrap it like

    from django.views.decorators.cache import never_cache
from django.views.decorators.csrf import csrf_protect
from django.views.decorators.http import require_POST

@csrf_protect
@require_POST
@never_cache
def safer_logout(request):
    # 'confirm' is useless here, POST implies 'do it'
    return logout_then_login(request, request.POST.get('next'))

    Also, consider using SESSION_COOKIE_HTTPONLY

    • 0