Mercurial > libervia-web
comparison src/server/session_iface.py @ 956:dabecab10faa
server (pages): impleted CSRF protection:
A basic CSRF protection has been implemented using CSRF token. The token is created on session creation, and checked on data post.
The process should be fully automatic, and a hidden field is added in forms in sat_templates when csrf_token is present in template data (require to import input/form.html with context).
If token is wrong on absent, an unauthorized error page is returned (and client ip is logged).
Also don't use anymore inlineCallbacks in _on_data_post, as StopIteration exception are catched by inlineCallbacks, resulting in bad behaviour. As a further security, getPostedDate raise a KeyError instead of StopIteration is a specific key is looked for and missing.
Added HTTP_SEE_OTHER status code in constants.
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Mon, 10 Jul 2017 19:10:31 +0200 |
| parents | 92f0eeb6dc72 |
| children | 67bf14c91d5c |
comparison
equal
deleted
inserted
replaced
| 955:4f7cb6335a33 | 956:dabecab10faa |
|---|---|
| 33 def __init__(self, session): | 33 def __init__(self, session): |
| 34 self.profile = None | 34 self.profile = None |
| 35 self.jid = None | 35 self.jid = None |
| 36 self.uuid = unicode(shortuuid.uuid()) | 36 self.uuid = unicode(shortuuid.uuid()) |
| 37 self.identities = data_objects.Identities() | 37 self.identities = data_objects.Identities() |
| 38 self.csrf_token = unicode(shortuuid.uuid()) | |
| 38 | 39 |
| 39 | 40 |
| 40 class ISATGuestSession(Interface): | 41 class ISATGuestSession(Interface): |
| 41 id = Attribute("UUID of the guest") | 42 id = Attribute("UUID of the guest") |
| 42 data = Attribute("data associated with the guest") | 43 data = Attribute("data associated with the guest") |