Login

SignedForm: CSRF-protect forms with a hidden token field

Author:
exogen
Posted:
September 22, 2008
Language:
Python
Version:
1.0
Tags:
forms csrf
Score:
0 (after 0 ratings)

This form subclass helps protect against cross-site request forgery by adding a hidden field named csrf_token to forms. The form must be initialized with the request as a keyword argument, both with and without POST data:

my_form = MySignedForm(request=request)
...
my_form = MySignedForm(request.POST, request=request)

Upon validation, a PermissionDenied exception will be raised if forgery is detected.

If any security details have been overlooked in this recipe, please leave a comment.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from django import forms
from django.core.exceptions import PermissionDenied
from django.contrib.csrf.middleware import _make_token, _ERROR_MSG

class HiddenInputWithoutID(forms.HiddenInput):
    def render(self, name, value, attrs=None):
        if attrs and 'id' in attrs:
            del attrs['id']
        return super(HiddenInputWithoutID, self).render(name, value, attrs=attrs)

class SignedForm(forms.Form):
    csrf_token = forms.CharField(max_length=32, widget=HiddenInputWithoutID)

    def __init__(self, *args, **kwargs):
        request = kwargs.pop('request', None)
        if request:
            csrf_token = _make_token(request.session.session_key)
            kwargs.setdefault('initial', {})['csrf_token'] = csrf_token
        return super(SignedForm, self).__init__(*args, **kwargs)

    def clean_csrf_token(self):
        csrf_token = self.initial.get('csrf_token')
        value = self.cleaned_data.get('csrf_token')
        if csrf_token != value:
            raise PermissionDenied(_ERROR_MSG)
        return value

More like this

  1. Tamper safe HiddenFields by alexmeisel 6 years, 8 months ago
  2. Fieldsets for Views by Nad 5 years, 6 months ago
  3. Hidden Forms by insin 8 years ago
  4. CSRF this! by oggy 6 years, 10 months ago
  5. Add CSRF token to templates by coleifer 4 years, 1 month ago

Comments

exogen (on October 17, 2009):

@Tarken: Greater control. See the Limitations section on that page. Also, I consider the approach of parsing and rewriting the entire response inherently ugly. :)

#

Please login first before commenting.