[Checkins] SVN: Products.PluggableAuthService/trunk/ Add 'getCSRFToken' and 'checkCSRFToken' helpers + 'CSRFToken' view.
David Glick (Plone)
david.glick at plone.org
Fri Nov 16 01:51:35 UTC 2012
On 11/15/12 4:54 PM, Tres Seaver wrote:
> Log message for revision 128301:
> Add 'getCSRFToken' and 'checkCSRFToken' helpers + 'CSRFToken' view.
>
>
>
> from zope import interface
> @@ -187,3 +190,36 @@
>
> return {'keywords': keywords.hexdigest()}
>
> +def getCSRFToken(request):
> + session = request.SESSION
> + token = session.get('_csrft_', None)
> + if token is None:
> + token = session['_csrft_'] = binascii.hexlify(os.urandom(20))
> + return token
> +
>
While it's nice to see some work being done on CSRF protection, I'm
against storing the token in the session, which will break this UI in
non-sticky load-balanced deployments.
Also, os.urandom is not available on all platforms. Here's one way to
handle that:
https://github.com/django/django/blob/master/django/utils/crypto.py#L14
More information about the checkins
mailing list