Django, csrf_token does not appear on form after redirection -

-

i using middleware redirect pages landing page: (part of authrequiredmiddleware class.

def process_request(self, request):     assert hasattr(request, 'user')      if not request.user.is_authenticated():         path = request.path_info.lstrip('/')         if path not in ['ipn/', 'pp_cancel/', 'pp_success/', 'sitemap/', 'welcome/']:             lang = request.get.get('lang', 'en')             ru = request.get.get('ru', '')             return render_to_response('landing_en.html', requestcontext(request, {'ru': ru}))

and settings.py

middleware_classes = (                                                                                                                                                                                         'django.middleware.cache.updatecachemiddleware',      'django.contrib.sessions.middleware.sessionmiddleware',      'django.middleware.locale.localemiddleware',      'main.common.sessionbasedlocalemiddleware.sessionbasedlocalemiddleware',      'django.middleware.common.commonmiddleware',      'django.middleware.cache.fetchfromcachemiddleware',      'django.middleware.csrf.csrfviewmiddleware',      'django.contrib.auth.middleware.authenticationmiddleware',      'django.contrib.messages.middleware.messagemiddleware',      'main.common.tz_middleware.timezonemiddleware',      'main.common.sslmiddleware.sslredirect',      'main.common.redirectallmiddleware.authrequiredmiddleware', )

if url (for example) /welcome/ , no redirection performed {% csrf_token %} works , shows in form. if user redirected no csrf_token shown in form.

what doing wrong?

from wiki page csrf:

cross-site request forgery, known one-click attack or session riding [...] type of malicious exploit of website whereby unauthorized commands transmitted user website trusts.

and later, under prevention:

verifying request's header contains x-requested-with (used ruby on rails before v2.0 , django before v1.2.5), or checking http referer header and/or http origin header.

so actually, csrf protection working well. because, while i'm not 100% problem missing referrer, think it's caused not using proper redirect triggers csrf violation.

the solution - use httpresponseredirect , pass information other view. can pass data:

 d = {'ru': ru, 'other': 'variables'}  url = '/landing/?%' % '&'.join( map(lambda x: '='.join(x), d.items()) )  return httpresponseredirect(url)

you can use regex patterns in urls (if makes sense) or use sessions if there's sensitive in there.


Comments

Post a Comment

Popular posts from this blog

python - Subclassed QStyledItemDelegate ignores Stylesheet -

-
i'm trying subclass qstyleditemdelegate remove focus rectangle in qcombobox . even though i'm calling base implementation of paint function , nothing else, result different. looks if parts of style-sheet influence bounding box of item taken consideration. class pstyleditemdelegate(qstyleditemdelegate): def __init__(self, *args, **kwds): super(pstyleditemdelegate, self).__init__(*args, **kwds) def paint(self, *args, **kwargs): qstyleditemdelegate.paint(*args, **kwargs) what have paint unmodified qstyleditemdelegate ? as suggested tried replacing pyside pyqt4 , works, appears bug. update pyside 1.1.2 1.2.1 result same. unfortunately switch breaks other parts of code, if there no other suggestions i'm going accept answer. edit bug tracked here
Read more

java - HttpClient 3.1 Connection pooling vs HttpClient 4.3.2 -

-
i have used httpclient3.1(java) connection pooling below : import org.apache.commons.httpclient.httpclient; import org.apache.commons.httpclient.multithreadedhttpconnectionmanager; import org.apache.commons.httpclient.params.httpclientparams; import org.apache.commons.httpclient.params.httpmethodparams; import org.apache.log4j.logger; public class httpclientmanager { private static logger logger = logger.getlogger(httpclientmanager.class); private static multithreadedhttpconnectionmanager connectionmanager = new multithreadedhttpconnectionmanager(); private static httpclientparams clientparams = new httpclientparams(); static { try { clientparams.makelenient(); clientparams.setauthenticationpreemptive(false); clientparams.setparameter(httpmethodparams.so_timeout, new integer(30000)); // set so_timeout clientparams.setparameter(httpmethodparams.head_body_check_timeout, new integer(3000)); // head responses ...
Read more

node.js - StackOverflow API not returning JSON -

-
i using node.js script gather data stackoverflow. know responses gzipped, put code in should take care of that. script follows: var request = require('request'); var zlib = require('zlib'); function getstackoverflowresponse(url, callback){ request(url, {encoding: null}, function(err, response, body){ if(response.headers['content-encoding'] == 'gzip'){ zlib.gunzip(body, function(err, dezipped) { callback(dezipped); }); } else { callback(body); } }); } var url = "https://api.stackexchange.com/docs/questions#pagesize=2&order=desc&min=2014-01-04&max=2014-02-02&sort=activity&tagged=apigee&filter=default&site=stackoverflow&run=true"; getstackoverflowresponse(url, function(questions) { console.log(questions); }); instead of getting json output, i'm getting following response: buffer 0d 0a 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48...
Read more