I have to introduce SAML2 authentication in my Django Project.
My base app use CSRF Token that is provided by #ensure_csrf_cookie decorator in the main page.
For implementing SAML, I've added a new "login" button on main page (the one that set se csrf token cookie). The button send the SAML request to IDP. When I return from IDP to a landing page (a view in saml2 sub-app that reads the response) I got a 403 Forbidden error about CSRF Token.
I'm using OneLogin python Library (python3-saml). https://github.com/onelogin/python3-saml
The landing page is the one that ends with: ?acs
What I want to know is if its a problem of my landing page or the IDP Response has to be binded with csrf token in some way.
Thanks.
NOTE: I've also tryed to add IDP domain in CSRF_TRUSTED_ORIGINS setting
You will probably need to mark the SAML return view as #csrf_exempt as the IDP wouldn't know how to pass the Django-specific CSRF token.
Related
I have an API from which users can login to get a token so they can make requests, etc and I have also made a a session login as there are a few scenarios where I need the user session token. Now if a user logs in to the API and afterwards they need to login using the session Auth its all good however the reverse does not work. If you are logged in using session Auth and then want to login via the API to release a token I get a response of Forbidden. Could someone please offer some insight?
I am getting this error please haldle the csrf token in django project.When I first made an AJAX call with a POST request, I got a HTTP 403 Forbidden error. A quick debug led me to the CSRF authorisation problem. The backend refused to authorise the request because there is no accompanying CSRF token to prove that the request is not from a foreign site.
From the documentation:
"The CSRF middleware and template tag provides easy-to-use
protection against Cross Site Request Forgeries. This type of attack occurs when a malicious website contains a link, a form button
or some JavaScript that is intended to perform some action on your
website, using the credentials of a logged-in user who visits the
malicious site in their browser."
Therefore, when making a POST request, you should always include a CSRF token.
For more information, including how to use it with AJAX calls, please refer to the documentation:
https://docs.djangoproject.com/en/3.0/ref/csrf/
I am building a server for both mobile and web environments and I want to have session auth alongside with token auth. However, these seem to be at odds with each other.
I have a different view for logins in both schemes.
If I log in as a user inside the browsable API and then send a request for token login for a different user, the server complains that there is no CSRF token. However if I log out, suddenly there's no problem.
I am not sure how severe it will be after frontend is implemented and the logins come from different devices, but so far it doesn't look good.
Any idea how to stop requiring CSRF token if the correct Authorization: Token <token> header is passed? Or different solution to my problem?
Default SessionAuthentication backend from DRF is built in a way that if you provide valid session in request, it will turn on CSRF validation. There are 2 possible solutions for that: either don't use two authentications method together (don't use token when you are sending valid session cookie in request) or prioritize token authentication by putting TokenAuthentication backend above SessionAuthentication in DEFAULT_AUTHENTICATION_CLASSES setting.
We make react SPA with django-rest-framework on backend and use django-rest-auth for user authentication.
When user has logged in, we show him form for change profile data. When user submit this form, we take csrf token from cookie in login response, and put them in request X-CSRFToken header. Server responses that token is missing or incorrect.
If user refreshed the page, and repeated the same actions, csrf token is correct and profile data is updated.
How to solve this problem and why it occurs?
It looks like this is happening:
The login is successful
The cookie+token is created by the CSRF API and returned to the endpoint
The ready state executes some code not executed after the API response
The certificate is validated and the cookie+token is set in the database/app config/server-side cache during a GET request and/or by the ready state callback
Since there is no GET request until the refresh, the cookie+token is not centrally stored until then. Add a request to mimic what happens during the GET, then store it where it is currently being accessed for subsequent requests.
References
Issues with CSRF token and how to solve them | SAP Blogs
Why refresh CSRF token per form request? - Information Security Stack Exchange
CSRF Protection — Flask-WTF 0.14
CSRFGuard 3 Configuration - OWASP
Spring Security: Cross Site Request Forgery (CSRF)
Cross Site Request Forgery protection | Django documentation | Django
XSRF/CSRF Prevention in ASP.NET MVC and Web Pages | Microsoft Docs
Cross-Site Request Forgery is dead!
Still think you don't need HTTPS?
I'm trying out the authentication and authorization example from yesodweb.
The login works fine now with BrowserId and Google but when I want to logout I get a:
Permission denied
A valid CSRF token wasn't present in HTTP headers or POST parameters. >Check the Yesod.Core.Handler docs of the yesod-core package for details >on CSRF protection.
This is the form send from the auth subsite after clicking on the logout link: http://lpaste.net/150405.
It's obvious that the token is not in the form, but the token is in the cookie my browser is sending in the POST with the form: http://lpaste.net/150406.
What I'm doing wrong here? I don't want to be logged in forever :)