注销后Django无法删除csrftoken
发布时间:2020-12-20 13:37:19 所属栏目:Python 来源:网络整理
导读:我使用清漆作为Django应用程序的前端缓存.这一切都适用于VCL配置.我遇到的问题是,在用户注销后,csrftoken cookie不会被删除,从那时起,清漆就会有一个MISS响应而不是HIT.在这里阅读stackoverflow一些相关的问题,我有这个注销视图 def logout_view(request): r
|
我使用清漆作为Django应用程序的前端缓存.这一切都适用于VCL配置.我遇到的问题是,在用户注销后,csrftoken cookie不会被删除,从那时起,清漆就会有一个MISS响应而不是HIT.在这里阅读stackoverflow一些相关的问题,我有这个注销视图
def logout_view(request):
response = render_to_response('registration/logout.html',{},context_instance=RequestContext(request))
if request.user.is_authenticated():
logout(request)
if request.GET.get('next',False):
response = HttpResponseRedirect(next)
response.delete_cookie('sessionid')
response.delete_cookie('csrftoken')
return response
用户点击退出页面后的此响应标头 Response Headers Age:0 Cache-Control:max-age=600 Connection:keep-alive Content-Language:en Content-Type:text/html; charset=utf-8 Date:Mon,23 Sep 2013 09:20:43 GMT Expires:Mon,23 Sep 2013 09:30:43 GMT P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Server:nginx/1.4.1 Set-Cookie:sessionid=; expires=Thu,01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/ Set-Cookie:csrftoken=; expires=Thu,01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/ Transfer-Encoding:chunked Vary:Cookie,Accept-Language,Host Via:1.1 varnish X-Cache:MISS X-Varnish:1950616479 default.vcl表示完整性: backend default {
.host = "127.0.0.1";
.port = "8000";
}
sub vcl_recv {
set req.grace = 15s;
if (req.http.Cookie) {
set req.http.Cookie = regsuball(req.http.Cookie,"(^|; ) *__utm.=[^;]+;? *","1"); # removes all cookies named __utm? (utma,utmb...) - tracking thing
}
# unless sessionid/csrftoken is in the request,don't pass ANY cookies (referral_source,utm,etc)
if (req.request == "GET" && (req.url ~ "^/static" || (req.http.cookie !~ "flash_sessionid" && req.http.cookie !~ "csrftoken"))) {
remove req.http.Cookie;
}
# normalize accept-encoding to account for different browsers
# see: https://www.varnish-cache.org/trac/wiki/VCLExampleNormalizeAcceptEncoding
if (req.http.Accept-Encoding) {
if (req.http.Accept-Encoding ~ "gzip") {
set req.http.Accept-Encoding = "gzip";
} elsif (req.http.Accept-Encoding ~ "deflate") {
set req.http.Accept-Encoding = "deflate";
} else {
# unknown algorithm
remove req.http.Accept-Encoding;
}
}
}
sub vcl_fetch {
set beresp.ttl = 300s;
set beresp.grace = 15s;
# static files always cached
if (req.url ~ "^/static") {
unset beresp.http.set-cookie;
return (deliver);
}
# pass through for anything with a session/csrftoken set
if (beresp.http.set-cookie ~ "flash_sessionid" || beresp.http.set-cookie ~ "csrftoken") {
return (hit_for_pass);
} else {
return (deliver);
}
}
sub vcl_deliver {
# Add a header to indicate a cache HIT/MISS
if (obj.hits > 0) {
set resp.http.X-Cache = "HIT";
} else {
set resp.http.X-Cache = "MISS";
}
return (deliver);
}
在响应标头上,我看到Django将cookie值设置为过去的日期,但是csrftoken cookie仍然会在下一个请求中保留. 我还尝试删除’django.middleware.csrf.CsrfViewMiddleware’中间件,但cookie仍然存在. 解决方法
您可以通过编辑vcl_fetch来解决问题,如下所示:
sub vcl_fetch {
# pass through for anything with a session/csrftoken set
if (beresp.http.set-cookie ~ "flash_sessionid" || beresp.http.set-cookie ~ "csrftoken" || beresp.http.set-cookie ~ "sessionid") {
return (hit_for_pass);
} else {
return (deliver);
}
}
这样你就可以检查Set-Cookie:sessionid了. 使用beresp.http.set-cookie时,Varnish只看到第一个Set-Cookie标头,所以在你的情况下,Varnish返回vcl_deliver而不是hit_for_pass. 为了进一步阅读,我建议你看看vmod_header. (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |