CSRF验证失败。请求中止 - Django,POST

时间:2022-04-11 06:35:32

I'm using Server: Django, Gunicorn, ngnix, postgresql

我正在使用Server:Django,Gunicorn,ngnix,postgresql

   Client: Chrome Advanced Rest Client

views.py


  from django.views.decorators.csrf import csrf_exempt, **ensure_csrf_cookie**  # Newly added
  from django.http import HttpResponse

  **@ensure_csrf_cookie**   # newly added
  def hello(request):
     return HttpResponse("Hello world")


  def hi(request):
     return HttpResponse("Hi World")

  def display_meta(request):
     values = request.META.items()
     values.sort()
     html = []
     for k, v in values:
       html.append('<tr><td>%s</td><td>%s</td></tr>' % (k, v))
     return HttpResponse('<table>%s</table>' % '\n'.join(html))

  def addUser(request):
    if request.method == 'POST':
    # Convert JSON to python objects and
    # store into the DB
    print 'Raw Json "%s"' % request.body
    #return HttpResponse("%s" %request.body)
    return HttpResponse("Thank God")

url.py


from django.conf.urls import patterns, include, url
from django.contrib import admin
from requests import hello, hi, addUser, display_meta

urlpatterns = patterns('',
    # Examples:
    # url(r'^$', 'testProject.views.home', name='home'),
    # url(r'^blog/', include('blog.urls')),
    url(r'^hello/$', hello),
    url(r'^hi/$', hi),
    url(r'^admin/', include(admin.site.urls)),
    url(r'^addPatient/$', addUser),
    url(r'^displaymeta/$', display_meta),
)

manage.py


# Application definition

INSTALLED_APPS = (
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'dbTransactions',
)

MIDDLEWARE_CLASSES = (
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
                                                              27,18         35%

From Advance Rest Client:

来自Advance Rest客户:

a) GET to hi works fine no error b) POST to addUser gives "CSRF verification failed. Request aborted"

a)GET到hi工作正常没有错误b)POST到addUser给出“CSRF验证失败。请求中止”

What I tried:

我尝试了什么:

  1. @csrf_exempt in views. - No change in the POST same error
  2. @csrf_exempt在视图中。 - POST同样的错误没有变化

  3. Putting X-CSRF-Token - in POST Header - No change in the POST same error
  4. 将X-CSRF-Token放在POST标头中 - POST同样的错误没有变化

I would greatly appreciate help on this. I've already read:

我非常感谢这方面的帮助。我已经读过了:

1 个解决方案

#1


Thank you for the response. I learnt following things about CSRF, Django and Chrome Advanced Rest API Client.

感谢您的答复。我学习了关于CSRF,Django和Chrome Advanced Rest API Client的一些内容。

a. CSRF - Cross Site Request Forgery is way to protect malicious transaction specially POST, PUT, DELETE on the authenticated connection between client and the server.

一个。 CSRF - 跨站点请求伪造是在客户端和服务器之间经过身份验证的连接上专门保护恶意事务的方法,特别是POST,PUT,DELETE。

b. Django allows GET with CSRF token but it fails for any POST, PUT or DELETE.

湾Django允许使用CSRF令牌进行GET,但是对于任何POST,PUT或DELETE都失败了。

c. To obtain CSRF token in the response for GET one can use @ensure_csrf_cookie which will make sure response has CSRF token.

C。要在GET的响应中获取CSRF令牌,可以使用@ensure_csrf_cookie,这将确保响应具有CSRF令牌。

d. For POST from Chrome's Advanced REST Client, one has to use X-CSRFTOKEN and token obtained from the response of the GET command.

d。对于来自Chrome的高级REST客户端的POST,必须使用X-CSRFTOKEN和从GET命令的响应中获得的令牌。

#1


Thank you for the response. I learnt following things about CSRF, Django and Chrome Advanced Rest API Client.

感谢您的答复。我学习了关于CSRF,Django和Chrome Advanced Rest API Client的一些内容。

a. CSRF - Cross Site Request Forgery is way to protect malicious transaction specially POST, PUT, DELETE on the authenticated connection between client and the server.

一个。 CSRF - 跨站点请求伪造是在客户端和服务器之间经过身份验证的连接上专门保护恶意事务的方法,特别是POST,PUT,DELETE。

b. Django allows GET with CSRF token but it fails for any POST, PUT or DELETE.

湾Django允许使用CSRF令牌进行GET,但是对于任何POST,PUT或DELETE都失败了。

c. To obtain CSRF token in the response for GET one can use @ensure_csrf_cookie which will make sure response has CSRF token.

C。要在GET的响应中获取CSRF令牌,可以使用@ensure_csrf_cookie,这将确保响应具有CSRF令牌。

d. For POST from Chrome's Advanced REST Client, one has to use X-CSRFTOKEN and token obtained from the response of the GET command.

d。对于来自Chrome的高级REST客户端的POST,必须使用X-CSRFTOKEN和从GET命令的响应中获得的令牌。