Turn on dummy cache in playdoh by default, so anonymous CSRF works out of the box

mozilla / playdoh

PROJECT DEPRECATED (WAS: "Mozilla's Web application base template. Half Django, half awesomeness, half not good at math.")

BSD 3-Clause "New" or "Revised" License

709 stars 107 forks source link

Turn on dummy cache in playdoh by default, so anonymous CSRF works out of the box #68

Open fwenzel opened 13 years ago

fwenzel commented 13 years ago

Anonymous, session-based CSRF is broken by default in PLaydoh, unless you set up caching properly. That sucks.

Let's configure/turn on/something a dummy/local memory cache by default so anonymous CSRF has a chance of working out of the box.

tofumatt commented 13 years ago

We should use LocMem cache by default, as it's fast and avoids writes to the disk. Django's actual dummy cache won't work because it doesn't actually store anything.

Of course, we can add memcached to our default/base playdoh vagrant VM and use that going forward.

fwenzel commented 13 years ago

Yes, memcache in vagrant wfm, but it should also work without. Good call on the dummy vs. locmem cache. The latter is the one I meant :)

rfreebern commented 12 years ago

What are the symptoms of this? I can't seem to replicate the problem: on a fresh funfactory-created playdoh app, the bleach form contains an anonymous CSRF token and works fine, and setting ANON_ALWAYS = True in settings/local.py doesn't seem to cause any problems. Is it possible a change in session_csrf has fixed this issue in the last 8 months?

(I'm curious about this because my browserid code needs ANON_ALWAYS = True to work, but that's been highlighted as a possible roadblock due to this issue.)