I created a flask web application that only runs locally and is used to fill out forms. When the form is filled out, it automatically records it in an excel file and sends emails. Since the application stays on 24/7, I was wondering how the web browser's cache could crash my program? I did not write code anywhere stating to use the browser's cache, but I am worrying that this could be something I need to think about as I am finding that it affected people who had created web apps previously. So I was wondering how caching in my situation could crash my program? Users simply type their name and fill out responses to questions.
I have placed the following code in my routes.py but I still see the browser saving user names so I don't think it cleared the cache:
#app.after_request
def add_header(r):
"""
Add headers to both force latest IE rendering engine or Chrome Frame,
and also to cache the rendered page for 10 minutes.
"""
r.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
r.headers["Pragma"] = "no-cache"
r.headers["Expires"] = "0"
r.headers['Cache-Control'] = 'public, max-age=0'
return r
If you don't specify cache in your flask app or in the server configuration, there won't be any cache handled by the server.
But it can be done automatically by the client-side. If there is an autosuggestion on the input, this is done by the browser.
You can disable it directly on the input with autocomplete="off"
<input type="email" id="email" name="email" autocomplete="off"/>
Related
TLDR: React app's API calls are returning with status code 200 but without body in response, happens only when accessing the web app from some browsers.
I have a React + Django application deployed using nginx and uwsgi on a single centOS7 VM.
The React app is served by nginx on the domain, and when users log in on the javascript app, REST API requests are made to the same nginx on a sub domain (ie: backend.mydomain.com), for things like validate token and fetch data.
This works on all recent version of Firefox, Chrome, Safari, and Edge. However, some users have complained that they could not log in from their work network. They can visit the site, so obviously the javascript application is served to them, but when they log in, all of the requests come back with status 200, except the response has an empty body. (and the log in requires few pieces of information to be sent back with the log in response to work).
For example, when I log in from where I am, I would get response with status=200, and a json object with few parameters in the body of the response.
But when one of the users showed me the same from their browser, they get Status=200 back, but the Response is empty. They are using the same version of browsers as I have. They tried both Firefox and Chrome with the same behaviours.
After finally getting hold of one of the user to send me some screenshots. I found the problem. In my browser that works with the site, the API calls to the backend had Referrer Policy set to strict-origin-when-cross-origin in the Headers. However on their browser, the same was showing up as no-referrer-when-downgrade.
I had not explicitly set the referrer policy so the browsers were using each of their default values, and it differed between different versions of browsers (https://developers.google.com/web/updates/2020/07/referrer-policy-new-chrome-default)
To fix this, I added add_header 'Referrer-Policy' 'strict-origin-when-cross-origin'; to the nginx.conf file and restarted the server. More details here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
The users who had trouble before can now access the site API resources after clearing cache in their browsers.
I have created automated test for remember login credintials in website using watir.
In the test Scenario after closing the browser to reopen it again and checking if it will open the home page or not. The test redirects to login so I want to ask:
is close browser method in watir clears the cache or cookies added in during the test?
By default, when Watir::Browser.new is called, it creates a new profile with new local storage for cookies and cache.
When browser.quit or browser.close is called, it destroys the temporary profile. It does not explicitly handle cookies or the cache, however these are eliminated when the temporary profile is deleted.
You can verify this by opening up irb and doing the following:
require 'watir-webdriver'
browser = Watir::Browser.new
browser.goto 'about:cache'
Observe the path for the Cache Directory. For me, it looks like /var/folders/fq/cjndhx054dj9kr6bls20pnh00000gn/T/webdriver-profile20140707-75724-15rrd9b/Cache.
Now do the following in irb.
browser.quit
browser = Watir::Browser.new
browser.goto 'about:cache'
Observe the path is different.
To reuse just cookies you could store the cookies in an instance or global variable prior to calling browser.quit and then restore the cookies later, after the new browser is instantiated. I use code similar to the following for a test that makes sure a 'Remember Me' box is checked on a login form.
# First test
browser = Watir::Browser.new
# browser logs in ...
$my_cookies = browser.cookies.to_a
browser.quit
# Second test
browser = Watir::Browser.new
$my_cookies.each do |cookie|
browser.cookies.add(cookie[:name], cookie[:value])
end
browser.goto 'my-test-site.com'
# test that username is remembered
I believe it is possible to use a specific profile, while maintaining settings, cache, and cookies by creating a Selenium::WebDriver::Firefox::Profile.new and passing the profile as an argument to Watir::Browser.new :firefox, :profile => <my_profile_object>.
More on profiles can be found on Watir Webdriver Firefox Profiles; Cookie information is also available, but is not very complete. Updated links now included as of 2016-12-13.
It looks like .close may handle cookies as shown in the close method description from GitHUb
def close
return if #closed
#driver.quit
#closed = true
end
alias_method :quit, :close # TODO: close vs quit
#
# Handles cookies.
#
# #return [Watir::Cookies]
#
I am not seeing anything about caches however.
I am migrating websites from a server using CF 8 to a new one using CF 10. In this one site, I have a query that looks up talent and then writes the resulting list to a cfcookie. On my computer with any browser it works correctly. My client uses the same browser as I normally use (Safari) and his browser is not updating the cfcookie with the new talent list after a search. They are very unhappy making me unhappy also. Any ideas as to what might be causing this problem.
In the application.cfm (yes, I know I should be updating to cfc but not enough hours in the day):
<CFAPPLICATION NAME="lil"
CLIENTMANAGEMENT="yes"
SESSIONMANAGEMENT="yes"
SESSIONTIMEOUT=" #createTimeSpan(0,0,30,0)#"
APPLICATIONTIMEOUT=" #createTimeSpan(0,1,0,0)#"
clientstorage="cookie">
Setting the cfcookie:
<cfif isdefined('getTalent.recordcount') and getTalent.recordcount gt 0>
<cfcookie name="tSearch" value="#valueList(getTalent.talentID)#" httponly="true" expires="1">
</cfif>
How large is the amount of data you are storing in the cookie, and could the client be storing more than you are? Are they possibly using a cookie-blocking security app of some kind?
In a bigger-picture kind of mindset, if the user is doing a search and getting results, rather than storing the results in a cookie, why not use either a session-scoped variable, or simply use the CF identity cookies already in place to store their results in a temporary database location? Cookie issues can be harder to track down, but unless you're not managing sessions in your Application.cfc or cfapplication tag, each user is already getting a unique ID which you can leverage server-side for this type of thing.
One last thought... are you doing any sort of CFLOCATION redirect, after attempting to store the cookie? Redirecting can cause CFCOOKIE commands to not be honored, because in essence the user's browser is redirected before it receives the response.
I'm building a flash game that uses Django as a backend.
I currently have an api endpoint set up using django-tastypie, which the flash app can call to receive JSON data for populating the application.
I understand using simple django views, and templating system, one is able to simply include a csrf_token in a webpage with the aid of the middleware.
My problem now is trying to post data back to the server without using csrf_exempt, and the flash application ideally, can be run without inserting params tags. Hopefully, a standalone swf file that'll work as it is.
How would one get a csrf_token into the flash app so it can post data back to the server without security concerns?
If the csrf_token way is not possible, are there any other ways to post data securely?
I have searched many avenues leading to similar questions, but many are unanswered.
Maybe I'm missing something here as I'm engrossed in my perspective. I hope someone can enlighten me on better ways to do it.
Thanks in advance.
It sounds like you may have two problems:
How do I actually send the CSRF token with my POST requests from Flash?
Django also accepts CSRF tokens via the header X-CRSFToken. See the docs here.
You can append headers to your request like so:
var req:URLRequest=new URLRequest();
req.url="http://somesite.com";
var header:URLRequestHeader=new URLRequestHeader("X-CSRFToken","foobar");
req.requestHeaders.push(header);
URLRequests docs are here.
How do I get the CSRF token into my Flash file in the first place?!
(Option A) Because CSRF tokens are generated on a per request basis (e.g., with templating a traditional HTML form, on a GET request) the simplest thing to do is to pass the CSRF token to the Flash file via a templated parameter. Something like: <param name="csrf_token" value="{{ my_csrf_token }}" />
(Option B) It sounds like you don't want to do the parameter thing, so your final option is to build a custom Django view which has the sole functionality of delivering a CSRFToken to your Flash file. So the Flow would be your Flash file loads, your Flash makes a GET request to http://mysite.com/csrf_token/ which simply returns a valid CSRF token, and then you can use that token to do your POST. (Note you will need to do a GET request for each POST request).
I have a view which displays user specific, meaning the content of the response for the same URL is unique per individual authenticated user.
Ideally, these pages would be cached in the browser. However, that does not appear to be the case in Chrome or Firefox (on production or locally).
The development server is processing the view each time, despite the fact that I've set the #vary_on_cookies decorator.
I have the right middleware in place (in the right order):
django.middleware.cache.UpdateCacheMiddleware
django.middleware.cache.FetchFromCacheMiddleware
Do I need to set CACHE_MIDDLEWARE_ANONYMOUS_ONLY = False?
One thing that I've noticed is that the request is sending this cache control header:
Cache-Control:max-age=0
I assume that that might be the root problem. Or is this related to the development server?
Any suggestions?