server (pages): impleted CSRF protection: A basic CSRF protection has been implemented using CSRF token. The token is created on session creation, and checked on data post. The process should be fully automatic, and a hidden field is added in forms in sat_templates when csrf_token is present in template data (require to import input/form.html with context). If token is wrong on absent, an unauthorized error page is returned (and client ip is logged). Also don't use anymore inlineCallbacks in _on_data_post, as StopIteration exception are catched by inlineCallbacks, resulting in bad behaviour. As a further security, getPostedDate raise a KeyError instead of StopIteration is a specific key is looked for and missing. Added HTTP_SEE_OTHER status code in constants.

--- a/src/server/session_iface.py	Sun Jul 09 22:28:40 2017 +0200
+++ b/src/server/session_iface.py	Mon Jul 10 19:10:31 2017 +0200
@@ -35,6 +35,7 @@
         self.jid = None
         self.uuid = unicode(shortuuid.uuid())
         self.identities = data_objects.Identities()
+        self.csrf_token = unicode(shortuuid.uuid())
 
 
 class ISATGuestSession(Interface):