I've just completed part 4 of the Django 1.4 tutorial and I'm sure they just chucked CSRF and generic views in to confuse the hell out of me.
Okay, so generic views I get now, but I don't understand what is happening with CSRF protection.
This is what I think is happening: the CSRF token is a hash/key generated by modules used in the app and a logged in user if logged in. The token is somehow sent with a POST method form to the receiving view which again generates the hash and compares it with the one sent with the form to make sure nobody has snooped in? Have I got this completely wrong?
Having used the rest of the Django manual during the tutorial this is by far the most confusing manual page I have read.
It's confusing because it addresses a subtle vulnerability with web browsers.
Let's say we have two sites: site.com and evil.com. Then the owner of evil.com can, if he knows the structure of the site.com website (which is easy if he can use it), set up a form targeting it.
<form action="http://target.com/my_account/_delete" method="POST">
<input type="submit" value="Click Here for candy"></input>
</form>
Anyone clicking it and logged into site.com will instantly trigger the action linked to (in this case, destroying their own account).
The idea of a csrf token is that the legitimate form looks like this:
<form action="http://target.com/my_account/_delete" method="POST">
<input type="hidden" name="csrf_token" value="AEyaF8af8AIHJFA0L"></input>
<input type="submit" value="Don't click this unless absolutely sure!"></input>
</form>
and because this value is user specific, and only known by and shown on the website, the users are now safe, and can't delete their account without going through the proper page first, as any page from the attacker would not know this value.
Hopefully this is clearer.
Related
Say I have api that returns form data. Data is not important here but will postman allow the following:
<form action="{{result.FormAction}}">
<input type="text" name="name" value="{{result.Name}}">
</form>
So the api will return data to be put into the form?
I can't find any articles or maybe searching for wrong thing.
Would I need to do this by JavaScript from Postman?
Problem
There is an API that requires a form post. This API is 3rd party so in the UI (this all works). The part of the form is generated by the API and fields are added to the form before it is posted from the client side. Our API returns the form action along with the fields that are generated on the server side.
So for my example above I am wondering if this could be tested by Postman. It's not critical as it all works well on the client side but would be nice to be able to run a few tests using Postman.
I'm using Django with django-two-factor-auth for my web application. I can now send SMS via Twilio and verify it, but I haven't figured out how to resend the SMS code when I need i.e. click on "Didn't received your code? Resend!".
I have read through django-two-factor-auth docs but couldn't find any info about implementing this.
Do I need to configure django-two-factor-auth somehow, or customize the lib (which is what I don't really prefer to do) ?
Could you please help me? Thank you for your time :)
Currently this is not possible with this package. However feel free to request this issue on the GitHub repository.
Another possibility is to implement this yourself. The token is sent when the wizard page named token is rendered. Your template would need to submit a POST to the login view, requesting the same page. The button should look similar to the request backup token, so (untested) something like this:
<button name="challenge_device" value="{{ device.persistent_id }}"
class="btn btn-default btn-block" type="submit">Resend token</button>
I am using Django 1.5 and django-social-auth. I am able to login with facebook using the template:
<img src="{% static "assets/img/login-with-facebook.png" %}"></img>
Later I use the disconnect template which I thought would disconnect me from facebook, as in if I later go to facebook.com I should be asked to log in again. I believe this is the usual behavior for most apps that use social authentication.
<a id="logout-option" href={% url "socialauth_disconnect" 'facebook'%}>[logout]</a>
Can someone explain what the expected behavior should be for the socialauth_disconnect and whether it should also log me out of facebook? If not, what is the recommended way of doing so? What about other providers?
socialauth_disconnect will remove the association between the Facebook account and the User account in your application, as if the user never hit the socialauth_begin link. There's no way from django-social-auth to logout your Facebook account, to make that possible the Facebook SDK might be needed (never did that so I'm not 100% sure), since to make that possible I guess some cookies will be removed, and to do that the script must come from the same domain.
I'm using the nice django-social-auth in one of my projects.
Basically I would like to be able to login without leaving the current page (whithout even refreshing it).
I thought about simply using target="_blank" in my provider links
<a href="{% url socialauth_begin service %}"
rel="nofollow" target="_blank">{{ service|title }}</a>
But of course it is redirecting to the default location after the successful login.
Is there a way to automatically close this new window on success so the user gets the previous page ?
With some JS and some parameters for the backend, you could open a popup window where the user can do the auth (some backends accept parameters that generate a different auth dialog layout). In that popup the user will proceed with the auth process and the popup could be closed with some JS too when the user is redirected back to the final URL.
Some of the services support javascript based login, which might be what your are looking for, however it depends on which services you want to use and whether they do support this. For example there is Client-side JavaScript SDK on Facebook.
Just wondering (Coldfusion Newbie). I'm on this page, showing an example how to setup a user login/logout in Coldfusion.
Simple question:
If the user is not logged in, the application.cfc inserts a login form.
Question:
Is there any way to set a target where this login form ends up? Some target/selector/anything to make it show up where it's supposed to?
Thanks for infos!
The way that code is set up it doesn't matter where you point it as the cflogin tag will always catch the request and process it. In pseudocode...
if not logged-in (cflogin)
if not submitting form
show login form
else
process login form