-
-
Notifications
You must be signed in to change notification settings - Fork 309
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The CSRF session token is missing. #519
Comments
Hi. Please provide a reproducible example of your issue, ideally some piece of code we can copy/paste so we can see the behavior you are describing. Your messages just don't contain enough information so we can help you.
I don't understand. Are you or are you not using wtforms? |
@azmeuk Thanks for your quick reply, I now realized that I opened the issue in the wrong repo, it was meant for btw we are only using the CSRF protection, without wtforms, as I said. we have our own custom schema. Thanks! |
As I said earlier, we cannot help you unless you tell us very precisely how to reproduce the bug you are encountering. |
I was following the documentation and initialized the CSRFProtect as stated in it:
and as stated in the documentation i m rendering the hidden input with the token in the form : I also exempt the blueprints that come from the extensions, I want to implement Nothing more is added. |
I still do not have enough data to fully understand your bug. Please provide a piece of code I can just copy/paste, or a repository I can clone. |
@azmeuk here is the repo -> https://github.com/ckan/ckan if you need some help, please let me know. Thanks |
@azmeuk I think this function might be our problem. I set two breakpoints(), one inside ckan_before_request and one in ckan_after_request. In ckan_before_request I can print the request.form, and also I m seeing the token, though, not in the session, also the response is 400 (this probably comes from When the breakpoint stops on the ckan_after_request only then i can see the csrf_token set in the session, but it's too late, I m already 400. Seems like our forms are late with generating the token and yet I m not sure how I see it in the request.form What is your opinion on this? |
Actual Behavior
Everything works fine when the user is logged in,
400 Bad Request
happens when I try to log the user in... same behavior is when I try to register a user (csrf_token
is missing in the session when the user is anonymous)... have I missed something to configure maybe?Note: We are not using the
wtforms
, we have our own custom scheme.Thanks!
Environment
The text was updated successfully, but these errors were encountered: