csrf

问题 Django 1.2 is consistently giving me this CSRF verification error when I perform a POST form. I "think" I've done all the things asked in the Django 1.2 docs, namely, Ensure MIDDLEWARE_CLASSES is included with 'django.middleware.csrf.CsrfViewMiddleware' Ensure the {% csrf_token %} <form action="/words/new/" method="post"> {% csrf_token %} {{ form.as_p }} <input type="submit" value="Enter" /> </form> Use RequestContext in my response def create(request): if request.method == 'POST': form =

问题 I have an ajax function that triggers an entry deletion from my database. I need to do CSRF validation for the same. How can I do that? I am sending the CSRF cookie along with my post request, but Yii 2.0 is not validating it and any input that is passed through ajax is reaching the server. How do I do CSRF validation for ajax requests. Whether we need to manually set cookie and check? 回答1: You don't need to manually set cookie. If you are using jQuery CSRF token will be sent automatically.

问题 We recently updated our solution to MVC 2, and this has updated the way that the AntiForgeryToken works. Unfortunately this does not fit with our AJAX framework any more. The problem is that MVC 2 now uses symmetric encryption to encode some properties about the user, including the user's Name property (from IPrincipal ). We are able to securely register a new user using AJAX, after which subsequent AJAX calls will be invalid as the anti forgery token will change when the user has been

问题 We're writing an iOS mobile app in objective-c that makes posts to our ASP.NET MVC server app. On iPhone, the HTTP stack (and cookies etc) appear to be shared with Safari. This leaves us open to XSRF attacks, so unless I'm mistaken we need to protect the POSTs with anti-forgery tokens and protect our controller methods with ValidateAntiForgeryTokenAttribute . I'll qualify this question by saying that I don't properly understand the mechanism by which the antiforgery tokens are generated and

问题 If I want to protect my site and users from Cross Site Forgery (CSRF) attacks, I can generate a unique token $token = md5( time() * rand ); on every page that has a form. The token is is submitted in a hidden input field echo '<input type="hidden" name="token" value="'.$token.'">'; and at the same time stored in a session variable $_SESSION['token'] = $token; . I will check if on any submitted form if($_POST['token'] == $_SESSION['token']) and proceed accordingly. However some users may

问题 I'm looking for a (hopefully straightforward) way to add CSRF protection to an application build on Spring WebFlow 2. An approach that migrates well to Spring WebFlow 3 (when released) is preferred. 回答1: The easiest way to prevent CSRF it to check the referer request.getHeader("referer"); to make sure the request is coming from the same domain. This method is covered by the CSRF Prevention Cheat Sheet. Its common to see this CSRF protection system on embedded network hardware with limited

问题 I am looking at custom forms in Magento. I saw these tutorials http://fastdivision.com/2012/03/29/diy-magento-create-ajax-login-registration-forms-for-your-magento-theme/ http://inchoo.net/ecommerce/magento/magento-email/magento-custom-email-contact-form-with-notification-system/ I did not see any mention of CSRF prevention, like checking a client token with one stored in a user session. I also looked in the Magento Contact Us form, and saw this but I do not think it relates to CSRF: <input

问题 I've been hearing about CSRF a long time ago, and the thing I hear most of the time is: Protecting against CSRF attacks is important so that someone doesn't submit your form automatically (using a bot or something) Well, that isn't 100% true, is it? I've been doing web scraping for about 3 years, and it is pretty straightforward to make a request, parse the csrftokenmiddleware field and POST it along with the other fields. So, what is it really for? 回答1: Imagine an e-banking web application

问题 In ASP.NET MVC 1.0, there is a new feature for handling cross site request forgery security problem: <%= Html.AntiForgeryToken() %> [ValidateAntiForgeryToken] public ViewResult SubmitUpdate() { // ... etc } I found the token generated in html form keep changing every time a new form is rendered. I want to know how these token is generated? And when use some software to scan this site, it will report another security problem: Session fixed. Why? Since the token keep changed, how can this

问题 For testing a command line tool against a Gitlab instance in Docker, I would like to login to Gitlab using username and password and grab the created session to authenticate my API requests. Therefore I do the following: curl the user login page with curl -i http://localhost:8080/users/sign_in -s get me the _gitlab_session from the headers get me the authenticity_token from the login form send a second curl request with curl 'http://localhost:8080/users/sign_in' \ -H "_gitlab_session=${cookie