Should @csrf_protect be used in my django output view along with middleware

Question

Should @csrf_protect be used in my django output view along with middleware

I have a custom logout view. I added decorators as shown below

from django.views.decorators.cache import never_cache
from django.views.decorators.csrf import csrf_protect
from django.views.decorators.http import require_POST
from django.contrib.auth.views import logout_then_login

@csrf_protect
@require_POST
@never_cache
def logout(request):
    nxt=request.POST.get('next')
    print 'next=',nxt
    return logout_then_login(request, nxt)

In my settings file, I have the following middleware classes

MIDDLEWARE_CLASSES = (
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
)

Since CsrfViewMiddleware is included here, do I really need @csrf_protect for my view? If I use both options, will there be a problem / conflict?

As a side, when I checked the django source , I found that decorators are used only for logging in, and not for any of the logout login_then_logout views. Why is this?

Any help is appreciated

+5

django csrf

damon Mar 30 '12 at 2:15

source share

1 answer

Todd · Accepted Answer · 2012-03-30T03:18:36+0000

- . Django Middleware , .

, . " " .

, , , CSRF, , login_then_logout , .

, , CSRF - Django CSRF CSRF ?

Should @csrf_protect be used in my django output view along with middleware

More articles: