subject:"\[web2py\] Re\: CSRF Forbidden 403 when POST from mobile device."

[web2py] Re: CSRF Forbidden 403 when POST from mobile device.

2015-08-05 Thread Jon M.

Thanks for the support and figuring it out with the community!

Providing answers in the right order:

@Anthony, the HTTPS protocol is not yet implemented, first we need the 
transactions fully working, so HTTP protocol is used meanwhile. We're not 
using web browsers, is the Android App that generates a POST with JSON 
request, that is:

{entry_value=data_used_by_functions}

As if you were using curl for generating POSTs, the auth is provided with 
credential, classic username and password strings (for now).

@Anthony, @Dave_S, as said above, the Android sends this vía web with HTTP 
with JSON, the development is done in a PC connected to local LAN, so, the 
Android device with it's own native application generates curl like 
request, and sends it to the PC's IP within the LAN. And in another version 
of the same native Android app, it communicates to the same web2py project 
hosted in pythonanywhere. The guys in pythonanywhere told me that the issue 
has nothing to do with the server provided by them, they said that the CSRF 
token could be expired.

Could the issue be the:
 
auth.settings.allow_basic_login = True
@auth.requires_login()

In the different functions that exchange or bring the auth credential. Can 
it be lost after certain number of hops between functions? Is that a misuse 
of those two rows of authentication method in the default.py?

Thanks again! :D

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.

2015-08-05 Thread José Ricardo Borba

Jon,

You MUST have to access the form before send your POST message, to access
the CSRF token sended from web2py. This is a security solution that
disallow other people to send undesired messages to your app.

Best Regards,

José Ricardo Borba

2015-08-05 10:37 GMT-03:00 Jon M. lej...@gmail.com:

 Thanks for the support and figuring it out with the community!

 Providing answers in the right order:

 @Anthony, the HTTPS protocol is not yet implemented, first we need the
 transactions fully working, so HTTP protocol is used meanwhile. We're not
 using web browsers, is the Android App that generates a POST with JSON
 request, that is:

 {entry_value=data_used_by_functions}

 As if you were using curl for generating POSTs, the auth is provided with
 credential, classic username and password strings (for now).

 @Anthony, @Dave_S, as said above, the Android sends this vía web with HTTP
 with JSON, the development is done in a PC connected to local LAN, so, the
 Android device with it's own native application generates curl like
 request, and sends it to the PC's IP within the LAN. And in another version
 of the same native Android app, it communicates to the same web2py project
 hosted in pythonanywhere. The guys in pythonanywhere told me that the issue
 has nothing to do with the server provided by them, they said that the CSRF
 token could be expired.

 Could the issue be the:

 auth.settings.allow_basic_login = True
 @auth.requires_login()

 In the different functions that exchange or bring the auth credential. Can
 it be lost after certain number of hops between functions? Is that a misuse
 of those two rows of authentication method in the default.py?

 Thanks again! :D

 --
 Resources:
 - http://web2py.com
 - http://web2py.com/book (Documentation)
 - http://github.com/web2py/web2py (Source code)
 - https://code.google.com/p/web2py/issues/list (Report Issues)
 ---
 You received this message because you are subscribed to the Google Groups
 web2py-users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to web2py+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.




-- 
José Ricardo Borba

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.

2015-08-05 Thread Jon M.

Hi José! Thanks for suporting too! C:

I'm learning about this framework, and I have a glimpse of what the browser 
does in data exchange between web pages and backend stuff... But, in this 
application, I'm afraid we want to provide the right interface for the 
backend.

So, no web forms, at least not for now, in the upcoming days we'll be 
implementing bootstrap 3 for the view layout and stuff, but that's only for 
informative purposes at this phase. 

That's why I was asking if there was a way of having RESTful, CRUD way of 
doing the request from something that had no web forms. So...

Mobile App - HTTP stuff - backend controllers (functions in default) - 
database data exchange, CRUD.

An then response to the Mobile App in order to show the data it asked for...

Indeed we will use and need the view part and web forms, credentials 
through it and tokens. But for now, we need to implement the request 
directly from Android native App.

If that's not the way  off doin' it, do you or someone knows something 
about having those tokens in a entity such a mobile device with Android in 
order to handle sessions, auths, or the usual tools and conventions used in 
views?

Buena vibra! :D

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.

2015-08-05 Thread José Ricardo Borba

Hi, Jon,

Now its more clear to me what you really need. Maybe this slice from
Bruno[1] can help you. I think that YES. ;-)

[1] - http://www.web2pyslices.com/slice/show/1533/restful-api-with-web2py

Best Regards,

José Ricardo Borba


2015-08-05 12:39 GMT-03:00 Jon M. lej...@gmail.com:

 Hi José! Thanks for suporting too! C:

 I'm learning about this framework, and I have a glimpse of what the
 browser does in data exchange between web pages and backend stuff... But,
 in this application, I'm afraid we want to provide the right interface for
 the backend.

 So, no web forms, at least not for now, in the upcoming days we'll be
 implementing bootstrap 3 for the view layout and stuff, but that's only for
 informative purposes at this phase.

 That's why I was asking if there was a way of having RESTful, CRUD way of
 doing the request from something that had no web forms. So...

 Mobile App - HTTP stuff - backend controllers (functions in default) -
 database data exchange, CRUD.

 An then response to the Mobile App in order to show the data it asked
 for...

 Indeed we will use and need the view part and web forms, credentials
 through it and tokens. But for now, we need to implement the request
 directly from Android native App.

 If that's not the way  off doin' it, do you or someone knows something
 about having those tokens in a entity such a mobile device with Android in
 order to handle sessions, auths, or the usual tools and conventions used in
 views?

 Buena vibra! :D

 --
 Resources:
 - http://web2py.com
 - http://web2py.com/book (Documentation)
 - http://github.com/web2py/web2py (Source code)
 - https://code.google.com/p/web2py/issues/list (Report Issues)
 ---
 You received this message because you are subscribed to the Google Groups
 web2py-users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to web2py+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.




-- 
José Ricardo Borba

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.

2015-08-05 Thread José Ricardo Borba

Additionally, this[1] part of web2py book can help you too.

*

*... By default, Auth protects logins against cross-site request forgeries
(CSRF). This is actually provided by web2py's standard CSRF protection
whenever forms are generated in a session. However, under some
circumstances, the overhead of creating a session for login,password
request and reset attempts may be undesirable. DOS attacks are
theoretically possible. CSRF protection can be disabled for Auth forms (as
of v 2.6):*
*Auth = Auth(..., csrf_prevention = False)*

*Note that doing this purely to avoid session overload on a busy site is
not recommended because of the introduced security risk. Instead, see the
Deployment chapter for advice on reducing session overheads...*



[1] - http://web2py.com/books/default/chapter/29/09/access-control


2015-08-05 12:45 GMT-03:00 José Ricardo Borba jrborba...@gmail.com:

 Hi, Jon,

 Now its more clear to me what you really need. Maybe this slice from
 Bruno[1] can help you. I think that YES. ;-)

 [1] - http://www.web2pyslices.com/slice/show/1533/restful-api-with-web2py

 Best Regards,

 José Ricardo Borba


 2015-08-05 12:39 GMT-03:00 Jon M. lej...@gmail.com:

 Hi José! Thanks for suporting too! C:

 I'm learning about this framework, and I have a glimpse of what the
 browser does in data exchange between web pages and backend stuff... But,
 in this application, I'm afraid we want to provide the right interface for
 the backend.

 So, no web forms, at least not for now, in the upcoming days we'll be
 implementing bootstrap 3 for the view layout and stuff, but that's only for
 informative purposes at this phase.

 That's why I was asking if there was a way of having RESTful, CRUD way of
 doing the request from something that had no web forms. So...

 Mobile App - HTTP stuff - backend controllers (functions in default) -
 database data exchange, CRUD.

 An then response to the Mobile App in order to show the data it asked
 for...

 Indeed we will use and need the view part and web forms, credentials
 through it and tokens. But for now, we need to implement the request
 directly from Android native App.

 If that's not the way  off doin' it, do you or someone knows something
 about having those tokens in a entity such a mobile device with Android in
 order to handle sessions, auths, or the usual tools and conventions used in
 views?

 Buena vibra! :D

 --
 Resources:
 - http://web2py.com
 - http://web2py.com/book (Documentation)
 - http://github.com/web2py/web2py (Source code)
 - https://code.google.com/p/web2py/issues/list (Report Issues)
 ---
 You received this message because you are subscribed to the Google Groups
 web2py-users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to web2py+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.




 --
 José Ricardo Borba




-- 
José Ricardo Borba

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.

2015-08-05 Thread Jon M.

Thanks José! :D

I'm afraid it already does help me... :3

In the implementation of that slice, Leonel Cámara  Massimo came to 
suggest another way of having POST requests for the backend... So, a 
modification of it he suggested in:

https://groups.google.com/d/msg/web2py/wfHtQ6P2Gmo/lrljWW1LBEIJ

What do you think?

Carpe Diem! (^_^ )

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.

2015-08-05 Thread Jon M.

That was fast, thanks! :D


 *

 *... By default, Auth protects logins against cross-site request forgeries 
 (CSRF). This is actually provided by web2py's standard CSRF protection 
 whenever forms are generated in a session. However, under some 
 circumstances, the overhead of creating a session for login,password 
 request and reset attempts may be undesirable. DOS attacks are 
 theoretically possible. CSRF protection can be disabled for Auth forms (as 
 of v 2.6):*
 *Auth = Auth(..., csrf_prevention = False)*

 *Note that doing this purely to avoid session overload on a busy site is 
 not recommended because of the introduced security risk. Instead, see the 
 Deployment chapter for advice on reducing session overheads...*

 

 
So accurate indeed, I'll look deeply the deployment chapter as stated, now 
that I know the CSRF verification can be bypassed it kinda feels wrong if 
deactivating that security mecanism... So, will look into overhead, 
because... This is a backend prototype for Internet of Things... So, 
overhead, better have the right control. It will be kinda busy as for it's 
role we want to implement (you can imagine because the requests to server 
from embedded devices, if everything goes fine, tons of them). I proposed 
web2py after some noob research, noob because It's a pretty new topic for 
the rush of businesses growing and asking for IoT solutions and for the 
time aI was given to build a functional prototype that can migrate or stay 
at the hosting we have, change from sqlite to MySQL, change from Rocket to 
Apache and eventually secure it and scalate it. So, web2py is the shot.

I trully want to know your opinion! :D

Thanks a lot! Buena vibra!

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.

2015-08-05 Thread José Ricardo Borba

Wow!
The thing is become more clear post after post!
In this case (IoT), I suggest that you, in the FIRST place, starts with a
python client (like suggested in the Bruno slice before).
And ONLY when things go right you turn to implement the Android (or
whatever platform) way. This will isolate your problems and toward you to
the solution, step by step.

I think that the messages of Massimo and Leonel do, in the essence, the
same thing that Bruno's post, but with some more refinement. Try what you
feel more comfortable!

Best regards,

José Ricardo Borba


2015-08-05 13:04 GMT-03:00 Jon M. lej...@gmail.com:

 That was fast, thanks! :D


 *

 *... By default, Auth protects logins against cross-site request
 forgeries (CSRF). This is actually provided by web2py's standard CSRF
 protection whenever forms are generated in a session. However, under some
 circumstances, the overhead of creating a session for login,password
 request and reset attempts may be undesirable. DOS attacks are
 theoretically possible. CSRF protection can be disabled for Auth forms (as
 of v 2.6):*
 *Auth = Auth(..., csrf_prevention = False)*

 *Note that doing this purely to avoid session overload on a busy site is
 not recommended because of the introduced security risk. Instead, see the
 Deployment chapter for advice on reducing session overheads...*

 


 So accurate indeed, I'll look deeply the deployment chapter as stated, now
 that I know the CSRF verification can be bypassed it kinda feels wrong if
 deactivating that security mecanism... So, will look into overhead,
 because... This is a backend prototype for Internet of Things... So,
 overhead, better have the right control. It will be kinda busy as for it's
 role we want to implement (you can imagine because the requests to server
 from embedded devices, if everything goes fine, tons of them). I proposed
 web2py after some noob research, noob because It's a pretty new topic for
 the rush of businesses growing and asking for IoT solutions and for the
 time aI was given to build a functional prototype that can migrate or stay
 at the hosting we have, change from sqlite to MySQL, change from Rocket to
 Apache and eventually secure it and scalate it. So, web2py is the shot.

 I trully want to know your opinion! :D

 Thanks a lot! Buena vibra!

 --
 Resources:
 - http://web2py.com
 - http://web2py.com/book (Documentation)
 - http://github.com/web2py/web2py (Source code)
 - https://code.google.com/p/web2py/issues/list (Report Issues)
 ---
 You received this message because you are subscribed to the Google Groups
 web2py-users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to web2py+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.




-- 
José Ricardo Borba

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: CSRF Forbidden 403 when POST from mobile device.

2015-08-05 Thread Anthony



 @Anthony, the HTTPS protocol is not yet implemented, first we need the 
 transactions fully working, so HTTP protocol is used meanwhile. We're not 
 using web browsers, is the Android App that generates a POST with JSON 
 request, that is:

 {entry_value=data_used_by_functions}

 As if you were using curl for generating POSTs, the auth is provided with 
 credential, classic username and password strings (for now).


Yes, I understand you are not using a browser. Nevertheless, whatever 
client you are using to make the post request, the server is clearly 
requiring you to set the Referer header.
 

 @Anthony, @Dave_S, as said above, the Android sends this vía web with HTTP 
 with JSON, the development is done in a PC connected to local LAN, so, the 
 Android device with it's own native application generates curl like 
 request, and sends it to the PC's IP within the LAN. And in another version 
 of the same native Android app, it communicates to the same web2py project 
 hosted in pythonanywhere. The guys in pythonanywhere told me that the issue 
 has nothing to do with the server provided by them, they said that the CSRF 
 token could be expired.


I can't speak for pythonanywhere, but web2py is not generating that HTML 
response (try searching the web2py repo for any of the text contained in 
that response). web2py only uses CSRF tokens with forms created via FORM 
and SQLFORM, and it never reports errors regarding CSRF failures. Something 
in between the Android app and web2py is rejecting the request and 
returning this response. Maybe do some logging and/or inspection of 
requests/responses on the client to help figure out the source of the 
problem (e.g., what are the response headers when you receive this error).
 

 Could the issue be the:
  
 auth.settings.allow_basic_login = True
 @auth.requires_login()


I don't think so. Though you don't need to bother decorating functions that 
are only called by other functions (you only need to decorate actions 
accessible via URL -- internal functions should be made private, which you 
can do by giving them arguments, preceding their names with a double 
underscore, or moving them out of the controller). 


Anthony

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: CSRF Forbidden 403 when POST from mobile device.

2015-08-05 Thread Jon M.

Wow, thanks! I can feel the love here at the forums!

@José, I'll make the Bruno's approach at local PC in order to apply those 
good practices exposed without risk, failure isolation has my attention and 
I'm definitely in favor of isolation, so, will do, and catch up more with 
clients as stated. 

@Anthony, As for the HTTP referrer, I will do that in order to catch the 
information and see if there's something between those two entities. I'm 
not sure if it will be soon (because of showcases and testing stuff here), 
but I'll be keeping up the information feeding about that CSRF Forbidden 
Issue. Thank you for the good practices too, I'll apply the right changes 
at the right time (again, because of showcase stuff, those concept showing 
meetings struggle the dev team, kinda common I guess, so I'll do it in my 
free time).

I'll be in touch, if someone has another thought, idea or opinion, please 
feel free to do it!

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.

2015-08-05 Thread Anthony

On Wednesday, August 5, 2015 at 11:50:32 AM UTC-4, José Borba wrote:

 Additionally, this[1] part of web2py book can help you too.

 *

 *... By default, Auth protects logins against cross-site request forgeries 
 (CSRF). This is actually provided by web2py's standard CSRF protection 
 whenever forms are generated in a session. However, under some 
 circumstances, the overhead of creating a session for login,password 
 request and reset attempts may be undesirable. DOS attacks are 
 theoretically possible. CSRF protection can be disabled for Auth forms (as 
 of v 2.6):*
 *Auth = Auth(..., csrf_prevention = False)*

 *Note that doing this purely to avoid session overload on a busy site is 
 not recommended because of the introduced security risk. Instead, see the 
 Deployment chapter for advice on reducing session overheads...*

 

 [1] - http://web2py.com/books/default/chapter/29/09/access-control


Note, the above is not relevant in this case. web2py only employs CSRF 
protection with forms created via FORM and SQLFORM (including the Auth 
forms), but in this case, no Auth forms are being used, as basic auth is 
being used for login. In fact, with basic auth, CRSF protection is not 
relevant, as the login credentials are being passed on every request (yet, 
you don't want to set csrf_protection=False, in case you are still making 
the default Auth actions available, as they do rely on forms).

Anthony

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.

2015-08-05 Thread Anthony

On Wednesday, August 5, 2015 at 11:46:15 AM UTC-4, José Borba wrote:

 Hi, Jon,

 Now its more clear to me what you really need. Maybe this slice from 
 Bruno[1] can help you. I think that YES. ;-)

 [1] - http://www.web2pyslices.com/slice/show/1533/restful-api-with-web2py


Note, this is documented in the book as well (with some additional options 
and details): 
http://web2py.com/books/default/chapter/29/10/services#Restful-Web-Services

Anthony

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.

2015-08-05 Thread José Ricardo Borba

Thanks for clarifying, Anthony.

2015-08-05 14:40 GMT-03:00 Anthony abasta...@gmail.com:

 On Wednesday, August 5, 2015 at 11:46:15 AM UTC-4, José Borba wrote:

 Hi, Jon,

 Now its more clear to me what you really need. Maybe this slice from
 Bruno[1] can help you. I think that YES. ;-)

 [1] - http://www.web2pyslices.com/slice/show/1533/restful-api-with-web2py


 Note, this is documented in the book as well (with some additional options
 and details):
 http://web2py.com/books/default/chapter/29/10/services#Restful-Web-Services

 Anthony

 --
 Resources:
 - http://web2py.com
 - http://web2py.com/book (Documentation)
 - http://github.com/web2py/web2py (Source code)
 - https://code.google.com/p/web2py/issues/list (Report Issues)
 ---
 You received this message because you are subscribed to the Google Groups
 web2py-users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to web2py+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.




-- 
José Ricardo Borba

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: CSRF Forbidden 403 when POST from mobile device.

2015-08-05 Thread Anthony


Note, unless you are sending/receiving cookies, there is no real point to 
using the session, as it will not persist from request to request anyway 
(and you don't appear to be using it for that purpose). Instead, if you 
need some value to be set in one function and then accessed in another 
function, just pass the value as an argument from the first function to the 
second (this also makes testing easier). Another option is to create a 
class and use methods operating on the object.

Anthony
 

 auth.settings.allow_basic_login = True
 @auth.requires_login()
 *def* raw_json_read():
 # The mobile POST hits here first.
 *if* request.env.request_method == 'POST':
 session.processing_frame = request.post_vars['entry_value']
 the_result = frame_reading()
 *return* the_result
 *return* 400

 auth.settings.allow_basic_login = True
 @auth.requires_login()
 *def* frame_reading():
 # Then here...
 # Omitted code
 session.persistence_last_reload = 0 # Found that it didn't have the 
 prefix 'session' and the dot of course. Might be the issue, might be not... 
 #Omitted Code
 frame_input = session.processing_frame or redirect(URL('index'))
 status_message = read_frame_validation(frame_input)
* if* status_message == 210:
 return_value = session.persistence_load_reading
 *return* return_value
 # Omitted code
 *elif* status_message == 245:
 return_value = session.persistence_last_reload
 *return* return_value
 # Omitted code
 *else*:
 *return* status_message

 auth.settings.allow_basic_login = True
 @auth.requires_login()
 *def* read_frame_validation(frame_to_split):
 # Omitted validation code...
 *elif* int(string_list[2]) == 7: # Her'es the option that sends 
 back information to mobile device
 time_list = []
 read_list = []
 the_chain = 
 refill_rows = db((db.DataInformation.request_type == 2)  
 \
  (db.DataInformation.id_device == id_device) \
  (db.DataInformation.id_user == 
 auth.user_id)).select(db.DataInformation.timestamp_string,
 
  db.DataInformation.reading,
   

 orderby =~ db.DataInformation.id,
   

 limitby=(0,6))
 *if* len(refill_rows) == 0:
 *return* 204
 *for* row in refill_rows:
 time_list.append(row['timestamp_string'])
 read_list.append(row['reading'])
 the_chain = | + ,.join(map(str, time_list)) + | + ,.join(
 map(str, read_list)) + |
 session.persistence_last_reload = the_chain
 *return* 245
 # Then, the whole way back to response.

 The HTML page that i get is this one:

 !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN 
 http://www.w3.org/TR/html4/loose.dtd;
  html lang=en
  head
  meta http-equiv=content-type content=text/html; charset=utf-8
  meta name=robots content=NONE,NOARCHIVE
  title403 Forbidden/title
  style type=text/css
  html * { padding:0; margin:0; }
  body * { padding:10px 20px; }
  body * * { padding:0; }
  body { font:small sans-serif; background:#eee; }
  bodydiv { border-bottom:1px solid #ddd; }
  h1 { font-weight:normal; margin-bottom:.4em; }
  h1 span { font-size:60%; color:#666; font-weight:normal; }
  #info { background:#f6f6f6; }
  #info ul { margin: 0.5em 4em; }
  #info p, #summary p { padding-top:10px; }
  #summary { background: #ffc; }
  #explanation { background:#eee; border-bottom: 0px none; }
  /style
  /head
  body
  div id=summary
  h1Forbidden span403)/span/h1
  pCSRF verification failed. Request aborted./p
  pYou are seeing this message because this HTTPS site requires a 'Referer
  header' to be sent by your Web browser, but none was sent. This header is
  required for security reasons, to ensure that your browser is not being
  hijacked by third parties./p
  pIf you have configured your browser to disable 'Referer' headers, 
 please
  re-enable them, at least for this site, or for HTTPS connections, or for
  'same-origin' requests./p
  /div
  div id=explanation
  psmallMore information is available with DEBUG=True./small/p
  /div
  /body
  /html



-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: CSRF Forbidden 403 when POST from mobile device.

2015-08-05 Thread Jon M.

I'll make good use of your recommendations, will evaluate the session 
persistence variables, in order to distinguish the parameters between 
functions, and/or (will think and test) get rid of session or leave them 
for good, because of the upcoming views that will display in admin 
interface or something like that. When the views are implemented, certainly 
won't erase the CSRF flag, and start to plan a code implementation for the 
right use of web forms.

Will keep in touch!

Jon

¡Buena vibra! :D

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: CSRF Forbidden 403 when POST from mobile device.

2015-08-04 Thread Anthony

The problem is stated right in the returned HTML:

You are seeing this message because this HTTPS site requires a 'Referer
  header' to be sent by your Web browser, but none was sent. This header is
  required for security reasons, to ensure that your browser is not being
  hijacked by third parties.


You have to set a Referer header.

Note, the above response is not being returned by web2py -- the web server 
must be configured to reject requests without Referer headers (so the 
request isn't even getting to web2py).

Anthony

On Tuesday, August 4, 2015 at 4:00:37 PM UTC-4, Jon M. wrote:

 Greetings again!!! THANKS FOR YOUR EARLY ANSWER! I'm very sorry for being 
 late... Kinda busy and daily life stuff goin' on.

 Well, the issue happens with these functions.

 The android device sends a POST request in order to get some data, every 
 30 secs. To this functions... Obviously.

 http://localhost's-ip:8000/project/default/raw_json_read/entries.json

 default.py

 # Omitted code...

 auth.settings.allow_basic_login = True
 @auth.requires_login()
 *def* raw_json_read():
 # The mobile POST hits here first.
 *if* request.env.request_method == 'POST':
 session.processing_frame = request.post_vars['entry_value']
 the_result = frame_reading()
 *return* the_result
 *return* 400

 auth.settings.allow_basic_login = True
 @auth.requires_login()
 *def* frame_reading():
 # Then here...
 # Omitted code
 session.persistence_last_reload = 0 # Found that it didn't have the 
 prefix 'session' and the dot of course. Might be the issue, might be not... 
 #Omitted Code
 frame_input = session.processing_frame or redirect(URL('index'))
 status_message = read_frame_validation(frame_input)
* if* status_message == 210:
 return_value = session.persistence_load_reading
 *return* return_value
 # Omitted code
 *elif* status_message == 245:
 return_value = session.persistence_last_reload
 *return* return_value
 # Omitted code
 *else*:
 *return* status_message

 auth.settings.allow_basic_login = True
 @auth.requires_login()
 *def* read_frame_validation(frame_to_split):
 # Omitted validation code...
 *elif* int(string_list[2]) == 7: # Her'es the option that sends 
 back information to mobile device
 time_list = []
 read_list = []
 the_chain = 
 refill_rows = db((db.DataInformation.request_type == 2)  
 \
  (db.DataInformation.id_device == id_device) \
  (db.DataInformation.id_user == 
 auth.user_id)).select(db.DataInformation.timestamp_string,
 
  db.DataInformation.reading,
   

 orderby =~ db.DataInformation.id,
   

 limitby=(0,6))
 *if* len(refill_rows) == 0:
 *return* 204
 *for* row in refill_rows:
 time_list.append(row['timestamp_string'])
 read_list.append(row['reading'])
 the_chain = | + ,.join(map(str, time_list)) + | + ,.join(
 map(str, read_list)) + |
 session.persistence_last_reload = the_chain
 *return* 245
 # Then, the whole way back to response.

 The HTML page that i get is this one:

 !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN 
 http://www.w3.org/TR/html4/loose.dtd;
  html lang=en
  head
  meta http-equiv=content-type content=text/html; charset=utf-8
  meta name=robots content=NONE,NOARCHIVE
  title403 Forbidden/title
  style type=text/css
  html * { padding:0; margin:0; }
  body * { padding:10px 20px; }
  body * * { padding:0; }
  body { font:small sans-serif; background:#eee; }
  bodydiv { border-bottom:1px solid #ddd; }
  h1 { font-weight:normal; margin-bottom:.4em; }
  h1 span { font-size:60%; color:#666; font-weight:normal; }
  #info { background:#f6f6f6; }
  #info ul { margin: 0.5em 4em; }
  #info p, #summary p { padding-top:10px; }
  #summary { background: #ffc; }
  #explanation { background:#eee; border-bottom: 0px none; }
  /style
  /head
  body
  div id=summary
  h1Forbidden span403)/span/h1
  pCSRF verification failed. Request aborted./p
  pYou are seeing this message because this HTTPS site requires a 'Referer
  header' to be sent by your Web browser, but none was sent. This header is
  required for security reasons, to ensure that your browser is not being
  hijacked by third parties./p
  pIf you have configured your browser to disable 'Referer' headers, 
 please
  re-enable them, at least for this site, or for HTTPS connections, or for
  'same-origin' requests./p
  /div
  div id=explanation
  psmallMore information is available with DEBUG=True./small/p
  /div
  /body
  /html



-- 
Resources:

[web2py] Re: CSRF Forbidden 403 when POST from mobile device.

2015-08-04 Thread Dave S



On Tuesday, August 4, 2015 at 3:19:27 PM UTC-7, Anthony wrote:

 The problem is stated right in the returned HTML:

 You are seeing this message because this HTTPS site requires a 'Referer
  header' to be sent by your Web browser, but none was sent. This header is
  required for security reasons, to ensure that your browser is not being
  hijacked by third parties.


 You have to set a Referer header.

 Note, the above response is not being returned by web2py -- the web server 
 must be configured to reject requests without Referer headers (so the 
 request isn't even getting to web2py).


I understood the Android to be talking to web2py locally, and web2py was 
making the request of the remote server:
 

 On Tuesday, August 4, 2015 at 4:00:37 PM UTC-4, Jon M. wrote:

 Greetings again!!! THANKS FOR YOUR EARLY ANSWER! I'm very sorry for being 
 late... Kinda busy and daily life stuff goin' on.

 Well, the issue happens with these functions.

 The android device sends a POST request in order to get some data, every 
 30 secs. To this functions... Obviously.

 http://localhost's-ip:8000/project/default/raw_json_read/entries.json



However, if I'm reading it correctly, the request to the remote server is 
in the omitted code.  But if I'm right, then that code is what needs to set 
the referrer heading.

Not that I'm incapable of being confused here.

/dps


 

 default.py

 # Omitted code...

 auth.settings.allow_basic_login = True
 @auth.requires_login()
 *def* raw_json_read():
 # The mobile POST hits here first.
 *if* request.env.request_method == 'POST':
 session.processing_frame = request.post_vars['entry_value']
 the_result = frame_reading()
 *return* the_result
 *return* 400

 auth.settings.allow_basic_login = True
 @auth.requires_login()
 *def* frame_reading():
 # Then here...
 # Omitted code
 session.persistence_last_reload = 0 # Found that it didn't have the 
 prefix 'session' and the dot of course. Might be the issue, might be not... 
 #Omitted Code
 frame_input = session.processing_frame or redirect(URL('index'))
 status_message = read_frame_validation(frame_input)
* if* status_message == 210:
 return_value = session.persistence_load_reading
 *return* return_value
 # Omitted code
 *elif* status_message == 245:
 return_value = session.persistence_last_reload
 *return* return_value
 # Omitted code
 *else*:
 *return* status_message

 auth.settings.allow_basic_login = True
 @auth.requires_login()
 *def* read_frame_validation(frame_to_split):
 # Omitted validation code...
 *elif* int(string_list[2]) == 7: # Her'es the option that sends 
 back information to mobile device
 time_list = []
 read_list = []
 the_chain = 
 refill_rows = db((db.DataInformation.request_type == 2) 
  \
  (db.DataInformation.id_device == id_device) 
 \
  (db.DataInformation.id_user == 
 auth.user_id)).select(db.DataInformation.timestamp_string,
 
  db.DataInformation.reading,
  
 
 orderby =~ db.DataInformation.id,
  
 
 limitby=(0,6))
 *if* len(refill_rows) == 0:
 *return* 204
 *for* row in refill_rows:
 time_list.append(row['timestamp_string'])
 read_list.append(row['reading'])
 the_chain = | + ,.join(map(str, time_list)) + | + ,.join(
 map(str, read_list)) + |
 session.persistence_last_reload = the_chain
 *return* 245
 # Then, the whole way back to response.

 The HTML page that i get is this one:

 !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN 
 http://www.w3.org/TR/html4/loose.dtd;
  html lang=en
  head
  meta http-equiv=content-type content=text/html; charset=utf-8
  meta name=robots content=NONE,NOARCHIVE
  title403 Forbidden/title
  style type=text/css
  html * { padding:0; margin:0; }
  body * { padding:10px 20px; }
  body * * { padding:0; }
  body { font:small sans-serif; background:#eee; }
  bodydiv { border-bottom:1px solid #ddd; }
  h1 { font-weight:normal; margin-bottom:.4em; }
  h1 span { font-size:60%; color:#666; font-weight:normal; }
  #info { background:#f6f6f6; }
  #info ul { margin: 0.5em 4em; }
  #info p, #summary p { padding-top:10px; }
  #summary { background: #ffc; }
  #explanation { background:#eee; border-bottom: 0px none; }
  /style
  /head
  body
  div id=summary
  h1Forbidden span403)/span/h1
  pCSRF verification failed. Request aborted./p
  pYou are seeing this message because this HTTPS site requires a 
 'Referer
  header' to be sent by your Web browser, but none was sent. This header

[web2py] Re: CSRF Forbidden 403 when POST from mobile device.

2015-08-04 Thread Jon M.

Greetings again!!! THANKS FOR YOUR EARLY ANSWER! I'm very sorry for being 
late... Kinda busy and daily life stuff goin' on.

Well, the issue happens with these functions.

The android device sends a POST request in order to get some data, every 30 
secs. To this functions... Obviously.

http://localhost's-ip:8000/project/default/raw_json_read/entries.json

default.py

# Omitted code...

auth.settings.allow_basic_login = True
@auth.requires_login()
*def* raw_json_read():
# The mobile POST hits here first.
*if* request.env.request_method == 'POST':
session.processing_frame = request.post_vars['entry_value']
the_result = frame_reading()
*return* the_result
*return* 400

auth.settings.allow_basic_login = True
@auth.requires_login()
*def* frame_reading():
# Then here...
# Omitted code
session.persistence_last_reload = 0 # Found that it didn't have the 
prefix 'session' and the dot of course. Might be the issue, might be not... 
#Omitted Code
frame_input = session.processing_frame or redirect(URL('index'))
status_message = read_frame_validation(frame_input)
   * if* status_message == 210:
return_value = session.persistence_load_reading
*return* return_value
# Omitted code
*elif* status_message == 245:
return_value = session.persistence_last_reload
*return* return_value
# Omitted code
*else*:
*return* status_message

auth.settings.allow_basic_login = True
@auth.requires_login()
*def* read_frame_validation(frame_to_split):
# Omitted validation code...
*elif* int(string_list[2]) == 7: # Her'es the option that sends 
back information to mobile device
time_list = []
read_list = []
the_chain = 
refill_rows = db((db.DataInformation.request_type == 2)  \
 (db.DataInformation.id_device == id_device) \
 (db.DataInformation.id_user == 
auth.user_id)).select(db.DataInformation.timestamp_string,

 db.DataInformation.reading,

 
orderby =~ db.DataInformation.id,

 
limitby=(0,6))
*if* len(refill_rows) == 0:
*return* 204
*for* row in refill_rows:
time_list.append(row['timestamp_string'])
read_list.append(row['reading'])
the_chain = | + ,.join(map(str, time_list)) + | + ,.join(map
(str, read_list)) + |
session.persistence_last_reload = the_chain
*return* 245
# Then, the whole way back to response.

The HTML page that i get is this one:

!DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN 
http://www.w3.org/TR/html4/loose.dtd;
 html lang=en
 head
 meta http-equiv=content-type content=text/html; charset=utf-8
 meta name=robots content=NONE,NOARCHIVE
 title403 Forbidden/title
 style type=text/css
 html * { padding:0; margin:0; }
 body * { padding:10px 20px; }
 body * * { padding:0; }
 body { font:small sans-serif; background:#eee; }
 bodydiv { border-bottom:1px solid #ddd; }
 h1 { font-weight:normal; margin-bottom:.4em; }
 h1 span { font-size:60%; color:#666; font-weight:normal; }
 #info { background:#f6f6f6; }
 #info ul { margin: 0.5em 4em; }
 #info p, #summary p { padding-top:10px; }
 #summary { background: #ffc; }
 #explanation { background:#eee; border-bottom: 0px none; }
 /style
 /head
 body
 div id=summary
 h1Forbidden span403)/span/h1
 pCSRF verification failed. Request aborted./p
 pYou are seeing this message because this HTTPS site requires a 'Referer
 header' to be sent by your Web browser, but none was sent. This header is
 required for security reasons, to ensure that your browser is not being
 hijacked by third parties./p
 pIf you have configured your browser to disable 'Referer' headers, please
 re-enable them, at least for this site, or for HTTPS connections, or for
 'same-origin' requests./p
 /div
 div id=explanation
 psmallMore information is available with DEBUG=True./small/p
 /div
 /body
 /html

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: CSRF Forbidden 403 when POST from mobile device.

2015-07-28 Thread Anthony

We need to see some code, how you are making the post request, and the 
exact response received.

On Tuesday, July 28, 2015 at 6:30:18 PM UTC-4, Jon M. wrote:

 Greetins community! Thanks for passing by, hope we can get nice data from 
 this issue.

 So, we're creating a backend application that receives POST petitions with 
 basic http auth from an Android app, no cookies r advanced topics for 
 sessions, I  want to get there, but I'm kinda new to this... This Android 
 app, sends every 30 seconds POST petitions in order to receive data from 
 database tables. This only occurs from time to time and only before 10AM 
 (GMT -6), yeah, we're in Mexico and the server is hosted by 
 pythonanywhere.com. Excelent service BTW, but we're having this issue. I 
 might ask to them too in case the service plan is truncating requests. And 
 I'm asking here, in case I'm doing something wrong with the petitions or 
 misusing the basic http auth.

 If you need more details, I can provide them... Thanks a lot! ¡Buena vibra!


-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: CSRF Forbidden 403 when POST from mobile device.

Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.

Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.

Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.

Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.

Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.

Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.

Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.

[web2py] Re: CSRF Forbidden 403 when POST from mobile device.

[web2py] Re: CSRF Forbidden 403 when POST from mobile device.

Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.

Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.

Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.

[web2py] Re: CSRF Forbidden 403 when POST from mobile device.

[web2py] Re: CSRF Forbidden 403 when POST from mobile device.

[web2py] Re: CSRF Forbidden 403 when POST from mobile device.

[web2py] Re: CSRF Forbidden 403 when POST from mobile device.

[web2py] Re: CSRF Forbidden 403 when POST from mobile device.

[web2py] Re: CSRF Forbidden 403 when POST from mobile device.

19 matches

Site Navigation

Mail list logo

Footer information