CSRF Token Help

[Jesse Warden]

I've read the stack overflow posts, blog articles on how CSRF works, etc, but still failing to get this to work in both JavaScript and Dart. No matter what I try, I keep getting a 403 for my login method. I've attempted various Apache/Virtual Host programs for Mac to run a local domain in hopes it was just a localhost or browser security problem, all to no avail. I used to be able to disable web security on Chrome, but that doesn't seem to work anymore.

Client Code:

https://github.com/JesterXL/workoutlogger/blob/master/client/WorkoutLoggerDartAngular2/web/com/jessewarden/workoutlogger/login/GetTokenService.dart

https://github.com/JesterXL/workoutlogger/blob/master/client/WorkoutLoggerDartAngular2/web/com/jessewarden/workoutlogger/login/LoginService.dart

Server Code:

https://github.com/JesterXL/workoutlogger/blob/master/server/workoutlogger/workoutapi/views.py

HTTP Responses:

https://gist.github.com/JesterXL/b7fb18f30e80e0156c98

https://gist.github.com/JesterXL/9c148016911622dfee66

https://gist.github.com/JesterXL/8cfd28edf6aebfe1afd4

Thanks if you can help! 

[Renato Oliveira]

Since you've been trying for so long, may be a obvious answer, but have you tried with this?

https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax

Renato Oliveira

@_renatooliveira

Labcodes - www.labcodes.com.br

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/8aa70895-afc4-41f7-865b-46fba033fff1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jesse Warden]

Yes, I've added the token in the cookie. Yes, I've added the cookie in the form post variable. Yes, I've added as a GET post variable. Yes, I've tried adding as a POST variable. Yes, I've set it to what the server sends back. Yes, I've set it to what the server-side sends back as a Cookie.

... none of it works.

[Andreas Kuhne]

Hi Jesse,

I can't remember where I saw it, but I found that the csrf token is added as a cookie to the response, so it is always present on each response. In my code I have an event handler (I'm using jquery to post) that looks like the following:

    $(document).ajaxSend(function (event, jqxhr, settings) {

        jqxhr.setRequestHeader("X-CSRFToken", $.cookie('csrftoken'));

    });

So I just get the value of the cookie 'csrftoken' and add it to the request header.

You should be able to do the same (however I don't know dart).

I don't think you should get the crsf token from another request, because that should change (if I understand this correctly). Try getting the the cookie, and ONLY adding it to the request header of your request, and not to the form.

Regards,

Andréas

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/cad2f35a-3010-4843-be5a-0b0b07a91a03%40googlegroups.com.

[Jesse Warden]

How does the cookie get set initially? If you just make one login request, is it the first OPTIONS pre-flight that sets the cookie or is it ok to be null until you successfully login?

[Andreas Kuhne]

The cookie is set via the django.middleware.csrf.CsrfViewMiddleware middleware. It does all of the handling for csrf tokens. It has to be included in your middleware classes. Also the order of the middleware classes are important (at least some of my middleware didn't work if it wasn't in the correct order).

You can't have a null value in the csrf token at least not if you are using the csrf token support on your forms. All responses should have the csrf token set.

Regards,

Andréas

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/d97fd7cd-a03f-46b2-bc00-667ecfbd8d6b%40googlegroups.com.