blob: 7d1ee6fea73a291ba9dfb07db189088a82fa5bb4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
.. _csrf_chapter:
Preventing Cross-Site Request Forgery Attacks
=============================================
`Cross-site request forgery
<http://en.wikipedia.org/wiki/Cross-site_request_forgery>`_ attacks are a
phenomenon whereby a user with an identity on your website might click on a
URL or button on another website which unwittingly redirects the user to your
application to perform some command that requires elevated privileges.
You can avoid most of these attacks by making sure that a the correct *CSRF
token* has been set in an :app:`Pyramid` session object before performing any
actions in code which requires elevated privileges and is invoked via a form
post. To use CSRF token support, you must enable a :term:`session factory`
as described in :ref:`using_the_default_session_factory` or
:ref:`using_alternate_session_factories`.
Using the ``session.new_csrf_token`` Method
-------------------------------------------
To add a CSRF token to the session, use the ``session.new_csrf_token`` method.
.. code-block:: python
:linenos:
token = request.session.new_csrf_token()
The ``.new_csrf_token`` method accepts no arguments. It returns a *token*
string, which will be opaque and randomized. This token will also be set
into the session, awaiting pickup by the ``session.pop_csrf_token`` method.
You can subsequently use the returned token as the value of a hidden field in
a form that posts to a method that requires elevated privileges. The handler
for the form post should use ``session.pop_csrf_token`` (explained below) to
pop the current CSRF token related to the user from the session, and compare
it to the value of the hidden form field.
Using the ``session.pop_csrf_token`` Method
-------------------------------------------
To pop the current CSRF token from the session, use the
``session.pop_csrf_token`` method.
.. code-block:: python
:linenos:
token = request.session.pop_csrf_token()
The ``.pop_csrf_token`` method accepts no arguments. It returns the
"current" *token* string (as per the last call to
``session.new_csrf_token``). You can then use it to compare against the
token provided within form post hidden value data. For example, if your form
rendering included the CSRF token obtained via ``session.new_csrf_token`` as
a hidden input field named ``csrf_token``:
.. code-block:: python
:linenos:
token = request.session.pop_csrf_token()
if token != request.POST['csrf_token']:
raise ValueError('CSRF token did not match')
|
