Django, csrf_token does not appear on form after redirection -

- May 15, 2015

i using middleware redirect pages landing page: (part of authrequiredmiddleware class.

def process_request(self, request):     assert hasattr(request, 'user')      if not request.user.is_authenticated():         path = request.path_info.lstrip('/')         if path not in ['ipn/', 'pp_cancel/', 'pp_success/', 'sitemap/', 'welcome/']:             lang = request.get.get('lang', 'en')             ru = request.get.get('ru', '')             return render_to_response('landing_en.html', requestcontext(request, {'ru': ru}))

and settings.py

middleware_classes = (                                                                                                                                                                                         'django.middleware.cache.updatecachemiddleware',      'django.contrib.sessions.middleware.sessionmiddleware',      'django.middleware.locale.localemiddleware',      'main.common.sessionbasedlocalemiddleware.sessionbasedlocalemiddleware',      'django.middleware.common.commonmiddleware',      'django.middleware.cache.fetchfromcachemiddleware',      'django.middleware.csrf.csrfviewmiddleware',      'django.contrib.auth.middleware.authenticationmiddleware',      'django.contrib.messages.middleware.messagemiddleware',      'main.common.tz_middleware.timezonemiddleware',      'main.common.sslmiddleware.sslredirect',      'main.common.redirectallmiddleware.authrequiredmiddleware', )

if url (for example) /welcome/ , no redirection performed {% csrf_token %} works , shows in form. if user redirected no csrf_token shown in form.

what doing wrong?

from wiki page csrf:

cross-site request forgery, known one-click attack or session riding [...] type of malicious exploit of website whereby unauthorized commands transmitted user website trusts.

and later, under prevention:

verifying request's header contains x-requested-with (used ruby on rails before v2.0 , django before v1.2.5), or checking http referer header and/or http origin header.

so actually, csrf protection working well. because, while i'm not 100% problem missing referrer, think it's caused not using proper redirect triggers csrf violation.

the solution - use httpresponseredirect , pass information other view. can pass data:

 d = {'ru': ru, 'other': 'variables'}  url = '/landing/?%' % '&'.join( map(lambda x: '='.join(x), d.items()) )  return httpresponseredirect(url)

you can use regex patterns in urls (if makes sense) or use sessions if there's sensitive in there.

Search This Blog

KBPS

Django, csrf_token does not appear on form after redirection -

Comments

Post a Comment

Popular posts from this blog

python - Subclassed QStyledItemDelegate ignores Stylesheet -

java - HttpClient 3.1 Connection pooling vs HttpClient 4.3.2 -

SQL: Divide the sum of values in one table with the count of rows in another -