利用django的中间件CsrfViewMiddleware,settings里配置
MIDDLEWARE_CLASSES = (
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
# Uncomment the next line for simple clickjacking protection:
# 'django.middleware.clickjacking.XFrameOptionsMiddleware',
)
在模版里配置
<form action="#" method="post">
{% csrf_token %}
{{ form.as_p }}
<input type="submit" value="submit">
</form>
@csrf_protect
def login(request):
msg = ''
if request.method == 'POST':
form = loginform.LoginForm(request.POST)
if request.session.test_cookie_worked():
request.session.delete_test_cookie()
if request.POST.get('uname', '') == 'shuifa':
if form.is_valid():
return HttpResponse('your are login')
else:
msg = u'不合格'
else:
return HttpResponse('uname wrong')
else:
HttpResponse('please enable the cookie settings')
else:
form = loginform.LoginForm()
request.session.set_test_cookie()
# return render_to_response('fage/login.html', {'form':form, 'msg':msg}) #not work
return render(request, 'fage/login.html', {'form':form, 'msg':msg})
Forbidden (403) CSRF verification failed. Request aborted.
RequestContext
for the template, instead of Context
.