csrf

问题 I am running into an issue where when a user sits idle for more than 24 hours (my session timeout), or leaves the site and then comes back after 24 hours, they are not being logged out of the site, but their session is being expired, or at least their _token is no longer valid. This causes unwanted behavior as if the user submits a form after their _token has expired and they now receive a TokenMismatchException . Locally it seems that when the idle time exceeds the session lifetime the user

问题 I Already tried many of the aswers about this topic, no one works for me. I Have a basic CRUD with Spring MVC 4.1.7, Spring Security 3.2.3 working on MySQL + Tomcat7. The problem is, when i try to POST form with AngularJS, I keep being blocked by error 403 ( access denied ). I figured out that I need to send my CSRF_TOKEN with the POST request, but I can't figure out HOW! I Tried so many diferent ways and no one works. My Files Controller.js $scope.novo = function novo() { if($scope.id){

问题 I have an application with Django backend and angular frontend. Now, these are connected with each other, I can get data from Django and show in Angular. As well Send a post request to Django. But the issue is with CSRF token in Django. I disable the CSRF middleware in Django and the request process completely, but I know this is insecure. Method to do a post request. loadQuestion(id): Observable<any> { const body = {'choice': 'teseted with post method'}; return this.http.post(this.baseUrl +

问题 I am trying to stop bots from (potentially) submitting fake data to my php registration file. I am creating a site that uses a signup/login system and I want to add email verification which I am capable of. However the problem is my webhost only allows x amount of emails per minute, if a bot were to spam this not only will my database be filled with spam accounts but I will also be suspended for breaking the email limit. I have been reading up about securing forms and CSRF came up, a term I

问题 The CSRF prevention method of using a token on the form for each session is a popular way. However, I don't get how this token way can protect if the file_get_contents of PHP can get contents of cross domain file form --> it can get the token on the form and use it also. So how does this token way work? 回答1: If I understand your question well, you are imagining a possible exploit like this : Attacker creates a PHP page that will present a fake form to a target user Attacker's PHP script will

问题 I have developed a simple webservice, but failed to use post with Django Rest Framework as it complains about CSRF: "detail": "CSRF Failed: CSRF cookie not set." Removing the api_view decorator does stop the message from appearing but then I won't be able to access the request.data. I think that the api_view does check CSRF although I added the csrf_exempt decorator. This is my view: @permission_classes((IsAuthenticated, )) @csrf_exempt @api_view(['POST']) def get_stats(request): """ Returns

问题 I have installed Owasp ModSecurity, after that all pages on my application have this rule alert. ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/etc/modsecurity/activated_rules/modsecurity_crs_43_csrf_protection.conf"] [line "31"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] I also tried to create a blank php file just to check, same rule alert is shown. From this point I assume that the problem is not code level any more. Here is the

问题 I use a few different AJAX calls in one of my pages through a couple of different methods. CHtml::link() CHtml::ajax() Within CGridview Since enabling CSRF I'm having difficulty verifying the token. What is the correct way? I've read a few posts, but struggling to implement. For instance in CHtml::link() I've tried: 'data' => "Yii::app()->request->csrfTokenName = Yii::app()->request->csrfToken", and also within CGridview : data: { Yii::app()->request->csrfTokenName => Yii::app()->request-

问题 I have a website that uses Django as the backend. I am now developing an IOS application that connects to the same backend. I am planning to use Oauth2 authentication for login and onwards. However, I just don't know what to do for the registration form. The registration form will POST data like email, username and password. Since there is no csrf token for the app, it would get a 403 error. If I do csrf_exempt on the registration view, I don't know how secure it would be. I searched

问题 I don't like how CI behaves by default when a CSRF token has expired. For instance, when a user has displayed the login form for a long time and they finally submit it, this ugly blank page with the error message comes up. I asked for ways to get around this, and someone told me to extend the Security class, and override its csrf_show_error() method, like this: class MY_Security extends CI_Security { public function __construct() { parent::__construct(); } public function csrf_show_error() {