csrf

I am getting a "Can't verify CSRF token authenticity" in Rails production. My questions are: Why is it doing this? How can I fix it? Here's my Heroku logs (some values anonymized): 2016-02-13T01:18:54.118956+00:00 heroku[router]: at=info method=POST path="/login" host=[MYURL] request_id=[ID STRING] fwd="FWDIP" dyno=web.1 connect=0ms service=6ms status=422 bytes=1783 2016-02-13T01:18:54.116581+00:00 app[web.1]: Started POST "/login" for [IPADDRESS] at 2016-02-13 01:18:54 +0000 2016-02-13T01:18:54.119372+00:00 app[web.1]: Completed 422 Unprocessable Entity in 1ms 2016-02-13T01:18:54.118587+00:00

This question is more a re-insurance than one directly about how to code. As an autodidact i did not have a lot of possibilities to ask professionals such things, so i try here. I have read the documents in the django-docs ( https://docs.djangoproject.com/en/1.3/ref/contrib/csrf/ ) and some info on that page: http://cwe.mitre.org/top25/#CWE-352 As far as i have understood, django delivers a token (some kind of pin-code) to a user. And to verify it really is him, he has to return it the next time he does a request. And some guys at Google found out that this is even possible with ajax-requests,

We are using nginx for https traffic offloading, proxying to a locally installed jasperserver (5.2) running on port 8080. internet ---(https/443)---> nginx ---(http/8080)---> tomcat/jasperserver When accessing the jasperserver directly on its port everything is fine. When accessing the service through nginx some functionalities are broken (e.g. editing a user in the jasperserver UI) and the jasperserver log has entries like this: CSRFGuard: potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%) After some

作者：pmiaowu 文章：https://www.yuque.com/pmiaowu/web_security_1/sq87w6 这里需要使用到一个微博账号与两个某厂商账号 条件： 1、微博账号：182**77 (攻击者) 2、某厂商账号A：33*493@qq.com (攻击者) 3、某厂商账号B：28*165@qq.com (无辜受害者) 利用方法： 步骤1：攻击者-登录微博 步骤2：攻击者-使用某厂商账号A 登录 从上面看其实有很多绑定账号快捷登录的方法,但是微博绑定的用户肯定是比较少的所以我们用它 步骤3：攻击者-点击绑定微博抓包 绑定微博的url： https://www.a.test.com/users/auth/weibo/callback?state={"can_transfer"%3A"true"}&code=c593bc150745c37a4d5ec05332d406af 这个url中的code就是我的微博一次性token 步骤4：无辜受害者-使用某厂商账号B 登录 将url发送给账号B 打开： https://www.a.test.com/users/auth/weibo/callback?state={"can_transfer"%3A"true"}&code=c593bc150745c37a4d5ec05332d406af 这时提示绑定成功了~~~ 嘿嘿嘿

I'm new to Tapestry5, but because of an internship I need to work with it. Currently I am trying to build a mixin to integrate a CSRF token ( explanation here ) to any form. Is it even possible to achieve this in a mixin? If yes, could I access functions that the mixin offers from the page? I am really not sure about how mixins really work and I'm having big difficulties on finding information about how to create one. Can somebody explain how to create a mixin and if what I'm trying to do is even possible? Thanks a lot! You might find that the HMAC message authentication introduced in tapestry