Re: 403 error when POSTing to a view with csrf protection

Hi Kurtis - 

The problem is that the client is not a web browser.  Its desktop application that I'm developing for Mac OS using the Cocoa frameworks.  The Django server will process user's data and return it to the user's desktop application.  The desktop app will communicate with the django server via https using JSON.  Right now I'm trying to set up authentication. I have set up authentication for Django before , in a traditional web app (in another project) and it all works as expected.  Now I'm trying to do it again using my desktop app as the client and I can't get authentication to work.  As Cal said, I'm probably not providing enough information for anyone to help me here, but I'll try again.

Here are the steps I'm trying to accomplish:

1) desktop app sends a GET request to a Django view.  the purpose of this is to get the csrf token that will be used for the rest of the session.  This django view function has the @ensure_csrf_cookie decorator to ensure that it will send the csrf token even though I'm not using a template and the template tag.

2) Desktop app sends a POST request with JSON in the body to log the user into the django app.  The json contains the user's userid and password. The request also contains the csrf cookie.

Steps 1 and 2 are using the same view function (below).  When the desktop app sends the POST request in step 2, I get the 403 error that I described previously, and the function is never called.  If I add the @csrf_exempt decorator, then I can get the view function to execute the if request.method == 'POST': block shown below.  It seems like the csrf cookie isn't being sent with the POST request, which is why I added the @csrf_exempt decorator and the print request statement in the code below.  that enables me to see the request object that is sent to the Django view.  the request does indeed contain the csrf cookie.  See the block of text ad the end of this message.

@ensure_csrf_cookie

@csrf_exempt

def login(request):

    print 'received login request using method ' + request.method

    if request.method == 'POST':

        # todo: login user

        print request

    

    else: # must be a GET.  return the csrf token

        c = {}

        c.update(csrf(request))

        return render_to_response('empty.html', c)

When client app performs the two steps described above, it calls this function twice, once with a GET and once with a POST.  in the POST, the request object is printed to stdout.  Here are the first few lines of the output showing that the csrf cookie is included with the request:

 GET:<QueryDict: {}>,

POST:<QueryDict: {u'{"user":"test_user","password":"test_password"}': [u'']}>,

COOKIES:{'csrftoken': 'qsl91ZDqVL5wirXlUwIYmu8ytTVES3nt'},

META:{'Apple_PubSub_Socket_Render': '/tmp/launch-ZubgcP/Render',

 'Apple_Ubiquity_Message': '/tmp/launch-BfYBfH/Apple_Ubiquity_Message',

 'COMMAND_MODE': 'unix2003',

 'CONTENT_LENGTH': '47',

 'CONTENT_TYPE': 'application/json',

 'CSRF_COOKIE': 'qsl91ZDqVL5wirXlUwIYmu8ytTVES3nt',

 'CSRF_COOKIE_USED': True,

 'DISPLAY': '/tmp/launch-EruXcM/org.x:0',

 'DJANGO_SETTINGS_MODULE': 'nsserver.settings',

 'EDITOR': 'nano',

 'GATEWAY_INTERFACE': 'CGI/1.1',

 'HOME': '/Users/mike',

 'HTTP_ACCEPT': 'application/json',

 'HTTP_ACCEPT_ENCODING': 'gzip, deflate',

 'HTTP_ACCEPT_LANGUAGE': 'en-us',

 'HTTP_CONNECTION': 'keep-alive',

 'HTTP_COOKIE': 'csrftoken=qsl91ZDqVL5wirXlUwIYmu8ytTVES3nt',

 'HTTP_HOST': '127.0.0.1:8000',

As I mentioned earlier, the purpose of the initial GET request is only to get the csrf cookie that will be used in the rest of the session.  Now I'm wondering I'm setting up the csrf token correctly in that block of code.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/54ivyoW39DMJ.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.