When using a pyramid.session session factory calling request.session.get_csrf_token seems to **always** be equivalent to using LegacySessionCSRFStoragePolicy (sort of by definition I suppose).
You can confirm this by looking at the session.get_csrf_token definition in https://docs.pylonsproject.org/projects/pyramid/en/latest/_modules/pyramid/session.html#BaseCookieSessionFactory and the call to it from LegacySessionCSRFStoragePolicy.get_csrf_token https://docs.pylonsproject.org/projects/pyramid/en/latest/_modules/pyramid/csrf.html#LegacySessionCSRFStoragePolicy.get_csrf_token Given the above, if you are using a different storage policy the request.session.get_csrf_token will (almost by definition) differ. Janzert On Sunday, May 2, 2021 at 1:12:06 PM UTC-4 Eldav wrote: > OK, I've been able to nail it down on a simple example : depending on > the CSRF storage policy I use, "request.session.get_csrf_token()" > (called from python or a template) and "get_csrf_token()" (called from > a template) return the same value *or not*. > > - no storage policy => ok > - LegacySessionCSRFStoragePolicy => ok > - CookieCSRFStoragePolicy => ko > > I'm attaching my example, I called it "onefile.py", although I needed > two files actually (one python file + one mako template). Sorry ;) > > Le mer. 28 avr. 2021 à 22:32, Laurent Daverio <ldav...@gmail.com> a écrit > : > > > > Thank you Steve. I'll have to think about it, not that the code is > > secret, just a matter of knowing what to post to be relevant. > > > > Le mer. 28 avr. 2021 à 22:10, Steve Piercy > > <steve.pi...@gmail.com> a écrit : > > > > > > It's difficult to say without your example. I've been using CSRF as > shown in the Deform demo without any issues. > > > > > > --steve > > > > > > > > > On 4/28/21 10:32 AM, Laurent Daverio wrote: > > > > Hello List, > > > > > > > > I'd like to report a problem I've just encountered, occurring betwen > > > > Pyramid's CSRF protection and Deform. > > > > > > > > Basically, I have a Pyramid 2.0 web app configured along the lines of > > > > the "URL dispatch wiki tutorial" > > > > ( > https://docs.pylonsproject.org/projects/pyramid/en/2.0-branch/tutorials/wiki2/authentication.html > ), > > > > with some Deform forms in it. > > > > > > > > The Deform Demo > > > > (https://deformdemo.pylonsproject.org/pyramid_csrf_demo/) shows how > to > > > > use a deferred value to create hidden field "csrf_token" in the > > > > generated forms. > > > > > > > > But there's a problem: the token generated that way doesn't have the > > > > same value as when I directly call get_csrf_token() in a template. > > > > > > > > As I don't have the time/energy to fully investigate the problem > right > > > > now, I think I will just use a workaround: as I'm using Diazo as a > > > > theming engine (awesome tech, btw), I think I will add a rule to > > > > inject the token into every form. Should work. > > > > > > > > Still, I wanted to take the time to report the problem, in case it > > > > could be useful. > > > > > > > > Laurent. > > > > > > > > > > -- > > > You received this message because you are subscribed to the Google > Groups "pylons-discuss" group. > > > To unsubscribe from this group and stop receiving emails from it, send > an email to pylons-discus...@googlegroups.com. > > > To view this discussion on the web visit > https://groups.google.com/d/msgid/pylons-discuss/44979a98-12ae-239e-8478-c2323aecfaf1%40gmail.com > . > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/96ea6ed5-0e07-406b-a5cd-4a77bc41fe59n%40googlegroups.com.
