I have seen example code in tutorials such as the following:
def login_view(request):
c={}
c.update(csrf(request))
return render(request,'login.html',c)
def login_view(request):
return render(request,'login.html')
In the template file, I have csrf_token declared.
{% extends "base.html" %}
{% block content %}
{% if form.errors %}
<p class="error"> sorry, not a valid username or password </p>
{% endif %}
<form action="/accounts/auth/" method="post">{% csrf_token %}
<label for="username"> UserName:</label>
<input type="text" name="username" value="" id="username">
<label for="password"> Password:</label>
<input type="password" name="password" value="" id="password">
<input type="submit" value="login">
</form>
{% endblock %}
My question is whether csrf needs to be present on both ends (when render in view and also in template).
render without csrf in view works fine. but I want to know the best practice. I am using Django 1.6.2.
It has to be present on template to prevent cross-site request forgery but not needed in view.
This is just my opinion, I could be wrong.