1. 首頁
  2. 問答
  3. Iphone張貼到django網絡服務器給出csrf驗證錯誤

Iphone張貼到django網絡服務器給出csrf驗證錯誤

2012-01-11 44 views
0

我想創建一個iPhone應用程序,它將做一個用戶的登錄驗證。Iphone張貼到django網絡服務器給出csrf驗證錯誤

但是當我傳入的用戶名和密碼,並打印日誌,它從網絡接收jsonString的,

我收到以下錯誤:

2012-01-11 13:44:51.470 Different Views[53942:18903] 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> 
<html lang="en"> 
<head> 
    <meta http-equiv="content-type" content="text/html; charset=utf-8"> 
    <meta name="robots" content="NONE,NOARCHIVE"> 
    <title>403 Forbidden</title> 
    <style type="text/css"> 
    html * { padding:0; margin:0; } 
    body * { padding:10px 20px; } 
    body * * { padding:0; } 
    body { font:small sans-serif; background:#eee; } 
    body>div { border-bottom:1px solid #ddd; } 
    h1 { font-weight:normal; margin-bottom:.4em; } 
    h1 span { font-size:60; color:#666; font-weight:normal; } 
    #info { background:#f6f6f6; } 
    #info ul { margin: 0.5em 4em; } 
    #info p, #summary p { padding-top:10px; } 
    #summary { background: #ffc; } 
    #explanation { background:#eee; border-bottom: 0px none; } 
    </style> 
</head> 
<body> 
<div id="summary"> 
    <h1>Forbidden <span>(403)</span></h1> 
    <p>CSRF verification failed. Request aborted.</p> 

</div> 

<div id="info"> 
    <h2>Help</h2> 

    <p>Reason given for failure:</p> 
    <pre> 
    CSRF token missing or incorrect. 
    </pre> 


    <p>In general, this can occur when there is a genuine Cross Site Request Forgery, or when 
    <a 
    href='http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ref-contrib-csrf'>Django's 
    CSRF mechanism</a> has not been used correctly. For POST forms, you need to 
    ensure:</p> 

    <ul> 
    <li>The view function uses <a 
    href='http://docs.djangoproject.com/en/dev/ref/templates/api/#subclassing-context-requestcontext'><code>RequestContext</code></a> 
    for the template, instead of <code>Context</code>.</li> 

    <li>In the template, there is a <code>{Jsrf_token 
    }</code> template tag inside each POST form that 
    targets an internal URL.</li> 

    <li>If you are not using <code>CsrfViewMiddleware</code>, then you must use 
    <code>csrf_protect</code> on any views that use the <code>csrf_token</code> 
    template tag, as well as those that accept the POST data.</li> 

    </ul> 

    <p>You're seeing the help section of this page because you have <code>DEBUG = 
    True</code> in your Django settings file. Change that to <code>False</code>, 
    and only the initial error message will be displayed. </p> 

    <p>You can customize this page using the CSRF_FAILURE_VIEW setting.</p> 
</div> 

</body> 
</html>

這個錯誤出現從我試圖訪問的網頁

根據我的研究,我發現一個類似ANS here但我不知道如何設置/獲取令牌

任何幫助將非常感激。謝謝。

來源

2012-01-11 Stanwin Siow

+0

這是在網絡視圖(查看html和提交表單)或者你只是直接發佈數據到一些(Django的)視圖? – second 2012-01-11 11:21:34

+0

我想從一個webview,因爲否則他可以實現提供的答案。 – RickyA 2012-01-11 12:10:29

+0

@Stanwin如果你從webview中調用這個url,你是從表單發佈它還是你把它放在bla? – RickyA 2012-01-11 12:12:08

回答

0

Django CSRF docs「如何運作」下:

The CSRF protection is based on the following things:

  1. A CSRF cookie that is set to a random value (a session independent nonce, as it is called), which other sites will not have access to.

    This cookie is set by CsrfViewMiddleware. It is meant to be permanent, but since there is no way to set a cookie that never expires, it is sent with every response that has called django.middleware.csrf.get_token() (the function used internally to retrieve the CSRF token).

  2. A hidden form field with the name 'csrfmiddlewaretoken' present in all outgoing POST forms. The value of this field is the value of the CSRF cookie.

    This part is done by the template tag.

  3. For all incoming requests that are not using HTTP GET, HEAD, OPTIONS or TRACE, a CSRF cookie must be present, and the 'csrfmiddlewaretoken' field must be present and correct. If it isn't, the user will get a 403 error.

    This check is done by CsrfViewMiddleware.

  4. In addition, for HTTPS requests, strict referer checking is done by CsrfViewMiddleware. This is necessary to address a Man-In-The-Middle attack that is possible under HTTPS when using a session independent nonce, due to the fact that HTTP 'Set-Cookie' headers are (unfortunately) accepted by clients that are talking to a site under HTTPS. (Referer checking is not done for HTTP requests because the presence of the Referer header is not reliable enough under HTTP.)

This ensures that only forms that have originated from your Web site can be used to POST data back. (emphasis mine)

你不能簡單地張貼的用戶名和密碼,還必須包含在POST數據的CSRF令牌。花一些時間閱讀文檔並理解CSRF的工作原理。

來源

2012-01-11 15:17:44

+0

克里斯。我會花一些時間來了解CSRF組件。感謝回覆! – 2012-01-11 22:27:11

+0

對此有何好運?我面臨同樣的問題 – JEzu 2012-05-02 08:32:43

相關問題

 相關問題