Login/Register
Flask CSRF token missing [duplicate]
Asked Answered
pythonflasksessionflask-wtformswtforms
P

1

-1

I am trying to use csrf protection on my website with no luck. I am doing everything the documentation says but it still says I am missing the csrf session token. And when I try printing the csrf token on the html page it does show there is one and prints it on the page.

I am trying to solve this problem for 2 days now and I can not find a solution.

My code:

app = Flask(__name__)
csrf = CSRFProtect(app)
app.config["SECRET_KEY"] = 'secret'

@app.route("/reserve", methods=["GET", "POST"])
def reserve():
   if request.method == "GET" :
       return render_template("reserve.html"))


<form id="Reserve" action="/reserve" method="post">
   <!-- csrf protection -->
   <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
   <input type="text" placeholder="Name">
   <button type="submit">
        Submit
   </button>
</form>
Pelecypod answered 2/10, 2021 at 10:0 Comment(0)
E
0

If I understood correctly your problem is not being able to access de csrf token data in your view code.

I've added some code in order to return the token from the server side when it receives a POST request and it works without issues:

Folder structure

  ├── app.py
  └── templates
    └── reserve.html

(by default Flask looks in templates folder in the project root)

app.py

from flask import Flask, request, render_template
from flask_wtf.csrf import CSRFProtect

app = Flask(__name__)
csrf = CSRFProtect(app)
app.config['SECRET_KEY'] = 'secret'


@app.route('/reserve', methods=['GET', 'POST'])
def reserve():
    if request.method == 'GET':
        return render_template('reserve.html')

    if request.method == 'POST':
        return {
            'token': request.form.get('csrf_token')
        }


if __name__ == '__main__':
    app.run()

reserve.html

<form id="Reserve" action="/reserve" method="post">
   <!-- csrf protection -->
   <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
   <input type="text" placeholder="Name">
   <button type="submit">
        Submit
   </button>
</form>

Start the server:

$ python app.py 
 * Serving Flask app 'app' (lazy loading)
 * Environment: production
   WARNING: This is a development server. Do not use it in a production deployment.
   Use a production WSGI server instead.
 * Debug mode: off
 * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)

Then open this URL in your browser: http://127.0.0.1:5000/reserve

enter image description here

If you inspect the HTML form you'll see something like this:

<input type="hidden" name="csrf_token" value="IjZkNGZhMTI1MGVmNWUzZDA4OGEwOThlZjZiODIxMGY3MTljYjBiNWUi.YVg1pA.EzPIPEqadPoq8oZQNxWpi33WRqk">

Submit the input value and you'll see that the received token is the same as the rendered value in the hidden input:

{"token":"IjZkNGZhMTI1MGVmNWUzZDA4OGEwOThlZjZiODIxMGY3MTljYjBiNWUi.YVg1pA.EzPIPEqadPoq8oZQNxWpi33WRqk"}
Exuberant answered 2/10, 2021 at 10:39 Comment(2)
Do I understand your answer correctly, that it works for you and you could not reproduce the problem?Winnow
Yes. This code works for me and I can't reproduce the OP problem.Exuberant

© 2022 - 2024 — McMap. All rights reserved.