https://www.jianshu.com/p/9346bbc3a8f1
一般我们认为cookie里的csrftoken是由csrftoken middleware所设置的,事实确实如此,但也不完全是。贴一段CsrfViewMiddleware的代码:
def process_response(self, request, response):
if getattr(response, 'csrf_processing_done', False): return response # If CSRF_COOKIE is unset, then CsrfViewMiddleware.process_view was # never called, probably because a request middleware returned a response # (for example, contrib.auth redirecting to a login page). if request.META.get("CSRF_COOKIE") is None: return response # 重点在这里 if not request.META.get("CSRF_COOKIE_USED", False): return response # Set the CSRF cookie even if it's already set, so we renew # the expiry timer. response.set_cookie(settings.CSRF_COOKIE_NAME, request.META["CSRF_COOKIE"], max_age=settings.CSRF_COOKIE_AGE, domain=settings.CSRF_COOKIE_DOMAIN, path=settings.CSRF_COOKIE_PATH, secure=settings.CSRF_COOKIE_SECURE, httponly=settings.CSRF_COOKIE_HTTPONLY ) # Content varies with the CSRF cookie, so set the Vary header. patch_vary_headers(response, ('Cookie',)) response.csrf_processing_done = True return response 这段代码的重点在于对CSRF_COOKIE_USED的检查,如果没有设置,middleware会直接返回response而不在cookie里设置csrftoken。
而CSRF_COOKIE_USED是在哪设置的呢?有几种途径:
- 手动设置。在你的view里添加
request.META["CSRF_COOKIE_USED"] = True - 手动调用csrf middleware的
get_token(request)或rotate_token(request)方法
作者:AlfredX
链接:https://www.jianshu.com/p/9346bbc3a8f1
來源:简书
简书著作权归作者所有,任何形式的转载都请联系作者获得授权并注明出处。