On Wed, Sep 29, 2010 at 11:44 AM, Yo-Yo Ma <baxterstockman@gmail.com> wrote:
User logs into your site (SaadsDjangoSite.com). User goes to
CriminalCSRFSite.com while logged into yours. They put a script tag in
their page that has a post-back to ttp://saadsdjangosite.com/delete-everything-and-kill-kittens/.
This causes the user's logged in browser to make a request to your
site, and delete everything and kill kittens, all without the user
knowing what happened.
Follow those instructions. Make sure you put {% csrf_token %} right
after your open <form> tag.
> mechanism<http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ref-contrib-csrf>has
On Sep 28, 11:38 pm, Saad Sharif <myscotlandproj...@gmail.com> wrote:
> Thanks a lotttt :)
>
> but there is a new error
>
> The Error:
>
> Forbidden (403)
>
> CSRF verification failed. Request aborted.
> Help
>
> Reason given for failure:
>
> CSRF token missing or incorrect.
>
> In general, this can occur when there is a genuine Cross Site Request
> Forgery, or when Django's CSRF
> not been used correctly. For POST forms, you need to ensure:> RequestContext<http://docs.djangoproject.com/en/dev/ref/templates/api/#subclassing-c...>for
>
> - The view function uses
> the template, instead of> csrf_protecton any views that use the
> Context.
> - In the template, there is a {% csrf_token %} template tag inside each
> POST form that targets an internal URL.
> - If you are not using CsrfViewMiddleware, then you must use
> csrf_token template tag, as well as those that accept the POST data.
>
> You're seeing the help section of this page because you have DEBUG = True in
> your Django settings file. Change that to False, and only the initial error
> message will be displayed.
>
> You can customize this page using the CSRF_FAILURE_VIEW setting.
>
> > django-users+unsubscribe@googlegroups.com<django-users%2Bunsubscribe@googlegroups.com>> On Wed, Sep 29, 2010 at 10:39 AM, Yo-Yo Ma <baxterstock...@gmail.com> wrote:
> > (r'^login/', include('macrohms.views.login')), is incorrect.
>
> > the include() function, pertaining to urls.py is for including other
> > URL confs (so you can have sub-sections of your site contain their own
> > urls.py). You'll want to replace that line with:
>
> > url(r'^login/$', 'macrohms.views.login')),
>
> > Note, I changed two additional things - I changed your tuple to a
> > url() function call instead, and I added a $ at the end of the URL
> > pattern (denotes the end of a string in regex). The url() function is
> > the "cool" way to define URLs.
>
> > On Sep 28, 10:41 pm, Saad Sharif <myscotlandproj...@gmail.com> wrote:
> > > Hi all,
>
> > > I created a simple login form
>
> > > My code:
> > > <form method="post" action="/login/" ENCTYPE="multipart/form-data"
> > > dojoType="dijit.form.Form" >{% csrf_token %}
> > > username <input>
> > > password <input type="password">
> > > <button> login <input type="submit" value="Submit">
> > > </form>
>
> > > In views.py i added
>
> > > def login(request):
> > > return render_to_response('login.html')
>
> > > In urls.py i added
>
> > > (r'^login/', include('macrohms.views.login')),
>
> > > The Error when i press login button:
> > > ImportError at /login/
>
> > > No module named login
>
> > > Request Method: POST Request URL:http://localhost:8000/login/Django
> > > Version: 1.2.3 Exception Type: ImportError Exception Value:
>
> > > No module named login
>
> > > Exception Location:
>
> > /home/saad/www/lib/python2.6/site-packages/Django-1.2.3-py2.6.egg/django/utils/importlib.py
> > > in import_module, line 35 Python Executable: /home/saad/www/bin/python
> > Python
> > > Version: 2.6.5 Python Path: ['/home/saad/www/webapps/macrohms',
> > > '/home/saad/www/lib/python2.6/site-packages/setuptools-0.6c11-py2.6.egg',
> > > '/home/saad/www/lib/python2.6/site-packages/pip-0.8.1-py2.6.egg',
> > > '/home/saad/www/lib/python2.6/site-packages/Django-1.2.3-py2.6.egg',
> > > '/home/saad/www/lib/python2.6/site-packages/Coffin-0.3.3-py2.6.egg',
> > > '/home/saad/www/lib/python2.6/site-packages/Jinja2-2.5.2-py2.6.egg',
> > > '/home/saad/www/lib/python2.6/site-packages/WTForms-0.6.1-py2.6.egg',
> > > '/home/saad/www/lib/python2.6',
> > '/home/saad/www/lib/python2.6/plat-linux2',
> > > '/home/saad/www/lib/python2.6/lib-tk',
> > > '/home/saad/www/lib/python2.6/lib-old',
> > > '/home/saad/www/lib/python2.6/lib-dynload', '/usr/lib/python2.6',
> > > '/usr/lib/python2.6/plat-linux2', '/usr/lib/python2.6/lib-tk',
> > > '/home/saad/www/lib/python2.6/site-packages'] Server time: Tue, 28 Sep
> > 2010
> > > 23:40:56 -0500
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Django users" group.
> > To post to this group, send email to django-users@googlegroups.com.
> > To unsubscribe from this group, send email to
> > .--
> > For more options, visit this group at
> >http://groups.google.com/group/django-users?hl=en.
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
No comments:
Post a Comment