Login/Register
Where is the csrftoken stored in Django database?
Asked Answered
pythondjangodjango-csrfcsrf-token
C

1

7

Where is the csrftoken stored?

When I access an API endpoint (logout API, it do not need the params):

POST /rest-auth/logout/ HTTP/1.1
Host: 10.10.10.105:8001
Connection: keep-alive
Content-Length: 0
Accept: application/json, text/plain, */*
Origin: http://localhost:8080
Authorization: Token 0fe2977498e51ed12ddc93026b08ab0b1a06a434
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36
Referer: http://localhost:8080/register
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: sessionid=b95zopro0qvkrexj8kq6mzo1d3z2hvbl; csrftoken=z53lKL0f7VHkilYS5Ax8FMaQCU2ceouje9OeTJOgTy4gH0UgHVltAlOe2KFNNNB6

the header is upper. In the Response I get an error:

{"detail":"CSRF Failed: CSRF token missing or incorrect."}

So, the backend must have verified the csrftoken.

In the backend database, I can not find the csrftoken field:

enter image description here

So I want to know where it is saved in the encrypted session_data?

Charcoal answered 15/3, 2018 at 11:26 Comment(6)
By default the csrf token is stored in a cookie. You won't find it in the database. If you want to store it in the session data you can set CSRF_USE_SESSIONS.Naturism
but if backend do not store csrftoken how can it verify it?Charcoal
You can't. See docs.djangoproject.com/en/2.0/ref/csrf/… .Naturism
You can except csrf validation if you are at DRF OR Any API.Disequilibrium
where do you need the csrf_token for?Rainer
@KingReload Now, I want to get the csrftoken in the frontend and set it to request header x-csrftoken: #49312973Charcoal
G
5

Given this QA in the django docs, you can see that the framework by default uses the Double Submit Cookie approach (rather than the synchronizer pattern).

This approach does not require the server to store the CSRF token, as the only check it does is comparing the token within the cookie with the one in the header (or parameter) and verify that they are equal.

The synhronizer pattern, on the other hand, does store the CSRF token somewhere in the server, and for each request it verifies its validity by comparing it with the one sent over the header ( or as before, in a POST parameter ).

You can read more about the two approaches here.

I guess you are testing your API with a web service testing application, in which case you are missing the second token somewhere in your request.

This section explains how to place the token for AJAX calls:

AJAX While the above method can be used for AJAX POST requests, it has some inconveniences: you have to remember to pass the CSRF token in as POST data with every POST request. For this reason, there is an alternative method: on each XMLHttpRequest, set a custom X-CSRFToken header to the value of the CSRF token. This is often easier, because many JavaScript frameworks provide hooks that allow headers to be set on every request.

Seeing your request above, therefore you should place this header (with the value of the current token, of course):

X-CSRFToken: z53lKL0f7VHkilYS5Ax8FMaQCU2ceouje9OeTJOgTy4gH0UgHVltAlOe2KFNNNB6
Galvanic answered 15/3, 2018 at 13:52 Comment(1)
see my this post: #49312973 I can not get the Cookies' csrftoken. I don't know why.Charcoal

© 2022 - 2024 — McMap. All rights reserved.