Django logout using a link or form to prevent csrf exploit?

Up vote 1 down vote favorite share g+ share fb share tw.

While reading up djangobook chapter ,I came across the section which mentions a csrf exploit where a logout link was put in a hidden of malicious site. In a web app I created using django,I had used a similar logout link base. Html: Logout where the my_logout url points to django.contrib.auth.views.

Logout_then_login urlpatterns=patterns('django.contrib.auth. Views', url(r'^logout/$', 'logout_then_login', {}, name = 'my_logout'), ) Now,after reading about csrf attack,I fear that a malicious site can cause trouble for me too. So,I would like to use a form to do the logging out.

I thought I could do like this base. Html: ... {% csrf_token %} ... Now,how should I write the view for processing this form? If I am to process the hidden variables(confirm to check whether logout should be done and next to go to the previous view) ,will I still be able to use the django.contrib.auth.views.

Logout_then_login method? Can someone please tell me if I am doing this the right way? Thanks in advance django csrf logout link|improve this question edited Mar 29 at 17:22 asked Mar 29 at 17:05damon685 92% accept rate.

You could wrap it like from django.views.decorators. Cache import never_cache from django.views.decorators. Csrf import csrf_protect from django.views.decorators.

Http import require_POST @csrf_protect @require_POST @never_cache def safer_logout(request): # 'confirm' is useless here, POST implies 'do it' return logout_then_login(request, request.POST. Get('next')) Also, consider using SESSION_COOKIE_HTTPONLY.

ClaudeVedovini just felt somebody was typing fast when I was editing it, ha =p – okm Mar 29 at 17:39 I was going to post almost the same answer :) Anyway, I would add that I don't think this is really useful. CSRF exploits are used to trick users in completing actions in applications they are logged in, there is not really a point in forcing them to logout. – Claude Vedovini Mar 29 at 17:44 @ClaudeVedovini Yes, but sometimes its harmful when the attacker intends to log you out for a while or wait for your new login procedure – okm Mar 29 at 17:52 thanks guys..a small problem though.. the next parameter returns emptystring no matter where I logout from .

Won't it get set automatically in the form? – damon Mar 29 at 17:59 what about not to pass in request.POST. Get('next') – okm Mar 297 at 0:57.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.