django csrf for api that works with ios apps -

-

i building ios app communicates server getting data.

if normal app, can send csrf token via forms (since same domain). but, ios apps, dont think can set csrf token .

so, when making requests ios apps, server, getting error regarding csrf. so, whats solution this? disabling csrf feature or other better way ? first ios app, please tell me better way follow that.

for urls ("api end points") ios app accessing, need specify @csrf_exempt on corresponding view functions disable csrf protection.

more details here - https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#django.views.decorators.csrf.csrf_exempt

and protect urls via other authentication methods, such session authentication.

for authentication purposes, can take reference django rest framework , django tastypie has done. both use sessionauthentication classes handle authentication , protect exposed urls (api endpoints) ios app can connect to.

references:-

django tastypie has authorization class, not confused authentication. has apikey authorization class becomes useful when want expose django urls other 3rd party developers may want build app of own talk django urls access data (think "facebook apis"). each 3rd party developer can in essence provided unique api , because have apikeyauthorization class , unique api key provided each 3rd party app, can sure "authorized" apps can consume django urls. essence of how various big platforms "google+" or "facebook" etc work.

details of how django's csrf works

https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-it-works

the csrf protection based on following things:

a csrf cookie set random value (a session independent nonce, called), other sites not have access to.

this cookie set csrfviewmiddleware. meant permanent, since there no way set cookie never expires, sent every response has called django.middleware.csrf.get_token() (the function used internally retrieve csrf token).

a hidden form field name ‘csrfmiddlewaretoken’ present in outgoing post forms. value of field value of csrf cookie.

this part done template tag.

for incoming requests not using http get, head, options or trace, csrf cookie must present, , ‘csrfmiddlewaretoken’ field must present , correct. if isn’t, user 403 error.

this check done csrfviewmiddleware.

in addition, https requests, strict referer checking done csrfviewmiddleware. necessary address man-in-the-middle attack possible under https when using session independent nonce, due fact http ‘set-cookie’ headers (unfortunately) accepted clients talking site under https. (referer checking not done http requests because presence of referer header not reliable enough under http.)

this ensures forms have originated web site can used post data back.


Comments

Post a Comment

Popular posts from this blog

Perl - how to grep a block of text from a file -

-
it can in xml or text format. how in general grep block of text in perl? <track type="ws"> <range> <rangestart>0</rangestart> <rangeend>146.912</rangeend> <locationindex>0</locationindex> <propertyindex>0</propertyindex> </range> </track> <track type="ps" id="1"> <range> <rangestart>0</rangestart> <rangeend>146.912</rangeend> <locationindex>1</locationindex> <propertyindex>1</propertyindex> </range> </track> i want grep type="ps" , till </range> . one solution open file, read line line , match block. open(fh, "file.txt"); foreach $line (<fh>) { if ($line =~ m/type="cc"(.*?)<\/range>/) { print $1; } } but there more optimal solution without reading file line l
Read more

delphi - How to remove all the grips on a coolbar if I have several coolbands? -

-
Image
if set mycoolbar.fixedorder true,only grip on first band hidden. well,if use delphi 7 create vcl forms application,then put coolbar on , create 3 coolbans hold other controls,only grip , top coolbands can hidden setting mycoolbar.fixedorder:=true. i've uploaded picture make things clear. you got fixedorder property wrong. fixed property not allow bands rearranged if set true . setting property of coolbar true keep user changing bands order @ runtime, user can still move , resize bands. can give advice can do, actual solution problem, well, have wait answer. my advice use 3 coolbars in row , setting "fixedorder" property true , bandborderstyle bsnone . way grip hidden on of them. about property, it's not bug of ide, actual preference of property.
Read more

javascript - Animating array of divs; only the final element is modified -

-
this baffling me @ moment. i'm experienced programmer looking throw bit of surprise fiancee on countdown page our wedding. desired effect simulated confetti falling behind main page. setup follows: i have array of divs in javascript. each div absolutely positioned on page. have interval set updates every 50 or milliseconds. on each tick, run loop on array of divs, , calculations , update positions. problem problem having, however, though can see divs created, stored array, , modified (in case, each has slight randomized rotation) during initialization phase, once tick update position starts, div stored in whatever last slot of array gets position updated. tried hard-coding each div index testing purposes, strictly last element update position. upon printing current "left" , "top" style values each div before , after calculations shows value has been changed, no visible change noticeable. here's basic code: javascript var container;
Read more