我研究了我在Flask WTF应用程序中发现的有关“ CSRF会话令牌丢失”的每条帖子,但是到目前为止,我在任何有解决方案的解决方案中都找不到解决方案,否则我会丢失它并且看不到它。
在这种情况下,我正在创建一个登录页面,并且该错误是在POST /提交登录表单时生成的。
在浏览器开发工具中,我可以在“表单数据”中看到“ csrf_token”,但在标题中没有令牌。
表单数据来自;
<form method="POST" action="">
{{ form.hidden_tag() }}
{{ form.csrf_token() }}
在login.html中,但我不知道这是否是预期的结果–似乎没有用。
我当时想我应该在请求标头中看到X-CSRFToken吗?但是我没有。
应该是其他Cookie吗? (例如,名为“ csrf_token”而不是名为“ cookie”的“会话”?)
在validate_csrf()函数中,我找到了;
secret_key = _get_config(
secret_key, 'WTF_CSRF_SECRET_KEY', current_app.secret_key,
message='A secret key is required to use CSRF.'
)
返回预期的秘密值:
secret_key = {bytes} b'abc123ced456'
field_name = _get_config(
token_key, 'WTF_CSRF_FIELD_NAME', 'csrf_token',
message='A field name is required to use CSRF.'
)
返回
field_name = {str} ‘csrf_token’
并且_data似乎正常:
data = {str} 'IjZiNWY5ZDdiNTZjMTVkM2U0Mzg3MjU1NGMxYzc3Yjg1MTMzYTlhYzEi.XC447w.cmc1INq6u8qVuq0EOL9ARcPwB6k'
但是失败,因为“ field_name”不在会话中
if field_name not in session:
raise ValidationError('The CSRF session token is missing.')
所以问题是为什么?
我也从登录表单方法中检查键/值时出错;
@app.route("/login", methods=['GET', 'POST'])
def login():
test = session['secret_key']
KeyError:'secret_key'
app.secret_key如何进入会话“ secret_key”? 这似乎没有发生。
from flask import Flask, render_template, url_for, flash, redirect, Response, jsonify, abort, session
from flask_session import Session
from flask_wtf.csrf import CSRFProtect
from flask_cors import CORS
from flask_login import LoginManager,UserMixin,current_user,login_required,login_user,logout_user
from forms import RegistrationForm, LoginForm, TimecardForm
from employees import employees
csrf = CSRFProtect()
app = Flask(__name__)
csrf.init_app(app)
app.config['SECRET_KEY'] = os.getenv('SECRET_KEY') or \
'abc123ced456'
app.config['SESSION_TYPE'] = 'memcached'
app.config['WTF_CSRF_ENABLED'] = True
app.config['WTF_CSRF_SECRET_KEY'] = os.getenv('SECRET_KEY') or \
'abc123ced456'
app.config['SESSION_COOKIE_SECURE'] = True
app.config['REMEMBER_COOKIE_SECURE'] = True
CORS(app)
sess = Session()
sess.init_app(app)
login_manager = LoginManager()
login_manager.init_app(app)
login_manager.session_protection = "strong"
login_manager.login_view = 'login'
@login_manager.user_loader
def load_user(userid):
result = None
emp_collection = employees.oEmployeeCollection()
emp_collection.getAllEmployees(None, None)
result = emp_collection.getEmployee(userid)
return result
@app.route("/login", methods=['GET', 'POST'])
def login():
form = LoginForm()
if form.validate_on_submit():
emp_collection = employees.oEmployeeCollection()
emp_collection.getAllEmployees(None, None)
current_user = emp_collection.getEmployee(form.user_init.data.upper())
if current_user is not None:
if current_user.password == form.password.data:
login_user(current_user, remember=True)
sess['current_user'] = current_user.toJSON()
flash('You have been logged in!', 'success')
#next = flask.request.args.get('next')
## is_safe_url should check if the url is safe for redirects.
#if not is_safe_url(next):
# return flask.abort(400)
#return flask.redirect(next or flask.url_for('index'))
return redirect(url_for('home'))
else:
flash('Login Unsuccessful. Please check username and password', 'danger')
else:
flash('Login Unsuccessful. Please check username and password', 'danger')
flash(form.errors)
return render_template('login.html', title='Login', form=form)
@app.before_first_request
def execute_this():
# emp_collection.getAllEmployees(None, None)
test = None
if __name__ == '__main__':
app.run(host='flask.local', port=5000, debug=False)
{% extends "template.html" %}
{% block content %}
<div class="content-section">
<form method="POST" action="">
{{ form.hidden_tag() }}
{{ form.csrf_token() }}
<fieldset class="form-group">
<legend class="border-bottom mb-4">Log In</legend>
<div class="form-group">
{{ form.user_init.label(class="form-control-label")}}
{% if form.user_init.errors %}
{{ form.user_init(class="form-control form-control-lg is-invalid") }}
<div class="invalid-feedback">
{% for error in form.user_init.errors %}
<span>{{ error }}</span>
{% endfor %}
</div>
{% else %}
{{ form.user_init(class="form-control form-control-lg") }}
{% endif %}
</div>
<div class="form-group">
{{ form.password.label(class="form-control-label") }}
{% if form.password.errors %}
{{ form.password(class="form-control form-control-lg is-invalid") }}
<div class="invalid-feedback">
{% for error in form.password.errors %}
<span>{{ error }}</span>
{% endfor %}
</div>
{% else %}
{{ form.password(class="form-control form-control-lg") }}
{% endif %}
</div>
<div class="form-check">
{{ form.remember(class="form-check-input") }}
{{ form.remember.label(class="form-check-label") }}
</div>
</fieldset>
<div class="form-group">
{{ form.submit(class="btn btn-outline-info") }}
</div>
<small class="text-muted ml-2">
<a href="#">Forgot Password?</a>
</small>
</form>
</div>
<div class="border-top pt-3">
<small class="text-muted">
Need An Account? <a class="ml-2" href="{{ url_for('register') }}">Sign Up Now</a>
</small>
</div>
{% endblock content %}
from flask_wtf import FlaskForm
from wtforms import StringField, PasswordField, SubmitField, BooleanField, DateField, DecimalField
from wtforms.validators import DataRequired, Length, Email, EqualTo
class LoginForm(FlaskForm):
user_init = StringField('User', validators=[DataRequired()])
password = PasswordField('Password', validators=[DataRequired()])
remember = BooleanField('Remember Me')
submit = SubmitField('Login')
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>400 Bad Request</title>
<h1>Bad Request</h1>
<p>The CSRF session token is missing.</p>
Content-Type →text/html
Content-Length →142
Access-Control-Allow-Origin →*
Set-Cookie →session=ad0a88f2-4048-4a3b-9934-c2cd5957e9ff; Expires=Sun, 03-Feb-2019 14:55:27 GMT; HttpOnly; Path=/
Server →Werkzeug/0.14.1 Python/3.7.1
Date →Thu, 03 Jan 2019 14:55:27 GMT
Request URL: http://localhost:5000/login
Request Method: POST
Status Code: 400 BAD REQUEST
Remote Address: 127.0.0.1:5000
Referrer Policy: no-referrer-when-downgrade
Access-Control-Allow-Origin: http://localhost:5000
Content-Length: 150
Content-Type: text/html
Date: Thu, 03 Jan 2019 14:47:18 GMT
Server: Werkzeug/0.14.1 Python/3.7.1
Set-Cookie: session=62e6139c-332b-4811-ad3a-de5c29c878aa; Expires=Sun, 03-Feb-2019 14:47:18 GMT; HttpOnly; Path=/
Vary: Origin
POST /login HTTP/1.1
Host: localhost:5000
Connection: keep-alive
Content-Length: 258
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Origin: http://localhost:5000
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://localhost:5000/login
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: Webstorm-655f3561=d5da8892-b9fc-4680-8fe8-17baf5fd6f8d;session=62e6139c-332b-4811-ad3a-de5c29c878aa
csrf_token=ImI5ZDlkYjZmNjkxMDZlZDczZjdlY2VjMTM2NTQzOWZlMDBkYTY1ZWMi.XC4gZQ.DVyKZ07nrQN6WZn0jmoHyKrf_YI&
csrf_token=ImI5ZDlkYjZmNjkxMDZlZDczZjdlY2VjMTM2NTQzOWZlMDBkYTY1ZWMi.XC4gZQ.DVyKZ07nrQN6WZn0jmoHyKrf_YI&user_init=ABC&password=changeme&remember=y&submit=Login
答案 0 :(得分:0)
{{ form.hidden_tag() }}应该扩展为类似
<input id="csrf_token" name="csrf_token" type="hidden" value="... long string ...">
如果没有看到,请仔细检查如何设置应用程序的配置部分。除了SECRET_KEY之外,您是否还要设置任何WTF_选项?
您可能需要删除{{ form.csrf_token() }}
不涉及任何X-标头。 (以防万一我忘记了某些东西,我对其中一个应用程序进行了快速检查。)
答案 1 :(得分:0)
查看是否已设置cookie的“安全”属性。如果是这样,并且您正在呼叫一个非安全网站,则不会发送该cookie。我已经看到这是CSRF令牌丢失问题的原因。
答案 2 :(得分:0)
昨天我遇到了“缺少CSRF令牌”的问题,幸运的是,我已经找到了造成此案的原因。我已经在this instruction之后使用同步工作器配置将Flask应用程序部署在Gunicorn + Nginx上,这就是问题所在。 Flask不适用于Gunicorn的同步工作者,因此转向线程已解决了我的问题。
gunicorn --workers 1 --threads 3 -b 0.0.0.0:5000 wsgi:app
答案 3 :(得分:0)
@brian 的回答对我有用。问题是我在一个 localhost 设置且没有 HTTPS 服务的测试环境中。
查看更多:https://flask.palletsprojects.com/en/1.1.x/config/#SESSION_COOKIE_SECURE
将以下配置设置为 False 使会话 cookie 能够在非生产(测试环境)中加载
<块引用>app.config['SESSION_COOKIE_SECURE'] = False