I am testing the CSRF protection on my site and I have noticed something unexpected.
I removed {% csrf_token %} from my form and the submission still works. I couldn't work out why. I then looked at the source and realised the token was still there right next to the <form> element. I changed the ID of the form to make sure it was definitely updating the source and it was but the hidden input is still there.
I am using Django 1.2. Is {% csrf_token %} still necessary?
Cheers
Rich
After more investigation it appears the {% csrf_token %} is always inserted if the form has method post and not if it doesn't. Very clever auto protection from Django.
From the documentation:
In Django 1.1, the template tag did not exist. Instead, a post-processing middleware that re-wrote POST forms to include the CSRF token was used. If you are upgrading a site from version 1.1 or earlier, please read this section and the Upgrading notes below.
http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#legacy-method
来源:https://stackoverflow.com/questions/4323085/is-the-csrf-token-csrf-protection-tag-still-necessary-in-django-1-2