[web2py] Re: CSRF Forbidden 403 when POST from mobile device.
Thanks for the support and figuring it out with the community! Providing answers in the right order: @Anthony, the HTTPS protocol is not yet implemented, first we need the transactions fully working, so HTTP protocol is used meanwhile. We're not using web browsers, is the Android App that generates a POST with JSON request, that is: {entry_value=data_used_by_functions} As if you were using curl for generating POSTs, the auth is provided with credential, classic username and password strings (for now). @Anthony, @Dave_S, as said above, the Android sends this vía web with HTTP with JSON, the development is done in a PC connected to local LAN, so, the Android device with it's own native application generates curl like request, and sends it to the PC's IP within the LAN. And in another version of the same native Android app, it communicates to the same web2py project hosted in pythonanywhere. The guys in pythonanywhere told me that the issue has nothing to do with the server provided by them, they said that the CSRF token could be expired. Could the issue be the: auth.settings.allow_basic_login = True @auth.requires_login() In the different functions that exchange or bring the auth credential. Can it be lost after certain number of hops between functions? Is that a misuse of those two rows of authentication method in the default.py? Thanks again! :D -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.
Jon, You MUST have to access the form before send your POST message, to access the CSRF token sended from web2py. This is a security solution that disallow other people to send undesired messages to your app. Best Regards, José Ricardo Borba 2015-08-05 10:37 GMT-03:00 Jon M. lej...@gmail.com: Thanks for the support and figuring it out with the community! Providing answers in the right order: @Anthony, the HTTPS protocol is not yet implemented, first we need the transactions fully working, so HTTP protocol is used meanwhile. We're not using web browsers, is the Android App that generates a POST with JSON request, that is: {entry_value=data_used_by_functions} As if you were using curl for generating POSTs, the auth is provided with credential, classic username and password strings (for now). @Anthony, @Dave_S, as said above, the Android sends this vía web with HTTP with JSON, the development is done in a PC connected to local LAN, so, the Android device with it's own native application generates curl like request, and sends it to the PC's IP within the LAN. And in another version of the same native Android app, it communicates to the same web2py project hosted in pythonanywhere. The guys in pythonanywhere told me that the issue has nothing to do with the server provided by them, they said that the CSRF token could be expired. Could the issue be the: auth.settings.allow_basic_login = True @auth.requires_login() In the different functions that exchange or bring the auth credential. Can it be lost after certain number of hops between functions? Is that a misuse of those two rows of authentication method in the default.py? Thanks again! :D -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- José Ricardo Borba -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.
Hi José! Thanks for suporting too! C: I'm learning about this framework, and I have a glimpse of what the browser does in data exchange between web pages and backend stuff... But, in this application, I'm afraid we want to provide the right interface for the backend. So, no web forms, at least not for now, in the upcoming days we'll be implementing bootstrap 3 for the view layout and stuff, but that's only for informative purposes at this phase. That's why I was asking if there was a way of having RESTful, CRUD way of doing the request from something that had no web forms. So... Mobile App - HTTP stuff - backend controllers (functions in default) - database data exchange, CRUD. An then response to the Mobile App in order to show the data it asked for... Indeed we will use and need the view part and web forms, credentials through it and tokens. But for now, we need to implement the request directly from Android native App. If that's not the way off doin' it, do you or someone knows something about having those tokens in a entity such a mobile device with Android in order to handle sessions, auths, or the usual tools and conventions used in views? Buena vibra! :D -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.
Hi, Jon, Now its more clear to me what you really need. Maybe this slice from Bruno[1] can help you. I think that YES. ;-) [1] - http://www.web2pyslices.com/slice/show/1533/restful-api-with-web2py Best Regards, José Ricardo Borba 2015-08-05 12:39 GMT-03:00 Jon M. lej...@gmail.com: Hi José! Thanks for suporting too! C: I'm learning about this framework, and I have a glimpse of what the browser does in data exchange between web pages and backend stuff... But, in this application, I'm afraid we want to provide the right interface for the backend. So, no web forms, at least not for now, in the upcoming days we'll be implementing bootstrap 3 for the view layout and stuff, but that's only for informative purposes at this phase. That's why I was asking if there was a way of having RESTful, CRUD way of doing the request from something that had no web forms. So... Mobile App - HTTP stuff - backend controllers (functions in default) - database data exchange, CRUD. An then response to the Mobile App in order to show the data it asked for... Indeed we will use and need the view part and web forms, credentials through it and tokens. But for now, we need to implement the request directly from Android native App. If that's not the way off doin' it, do you or someone knows something about having those tokens in a entity such a mobile device with Android in order to handle sessions, auths, or the usual tools and conventions used in views? Buena vibra! :D -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- José Ricardo Borba -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.
Additionally, this[1] part of web2py book can help you too. * *... By default, Auth protects logins against cross-site request forgeries (CSRF). This is actually provided by web2py's standard CSRF protection whenever forms are generated in a session. However, under some circumstances, the overhead of creating a session for login,password request and reset attempts may be undesirable. DOS attacks are theoretically possible. CSRF protection can be disabled for Auth forms (as of v 2.6):* *Auth = Auth(..., csrf_prevention = False)* *Note that doing this purely to avoid session overload on a busy site is not recommended because of the introduced security risk. Instead, see the Deployment chapter for advice on reducing session overheads...* [1] - http://web2py.com/books/default/chapter/29/09/access-control 2015-08-05 12:45 GMT-03:00 José Ricardo Borba jrborba...@gmail.com: Hi, Jon, Now its more clear to me what you really need. Maybe this slice from Bruno[1] can help you. I think that YES. ;-) [1] - http://www.web2pyslices.com/slice/show/1533/restful-api-with-web2py Best Regards, José Ricardo Borba 2015-08-05 12:39 GMT-03:00 Jon M. lej...@gmail.com: Hi José! Thanks for suporting too! C: I'm learning about this framework, and I have a glimpse of what the browser does in data exchange between web pages and backend stuff... But, in this application, I'm afraid we want to provide the right interface for the backend. So, no web forms, at least not for now, in the upcoming days we'll be implementing bootstrap 3 for the view layout and stuff, but that's only for informative purposes at this phase. That's why I was asking if there was a way of having RESTful, CRUD way of doing the request from something that had no web forms. So... Mobile App - HTTP stuff - backend controllers (functions in default) - database data exchange, CRUD. An then response to the Mobile App in order to show the data it asked for... Indeed we will use and need the view part and web forms, credentials through it and tokens. But for now, we need to implement the request directly from Android native App. If that's not the way off doin' it, do you or someone knows something about having those tokens in a entity such a mobile device with Android in order to handle sessions, auths, or the usual tools and conventions used in views? Buena vibra! :D -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- José Ricardo Borba -- José Ricardo Borba -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.
Thanks José! :D I'm afraid it already does help me... :3 In the implementation of that slice, Leonel Cámara Massimo came to suggest another way of having POST requests for the backend... So, a modification of it he suggested in: https://groups.google.com/d/msg/web2py/wfHtQ6P2Gmo/lrljWW1LBEIJ What do you think? Carpe Diem! (^_^ ) -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.
That was fast, thanks! :D * *... By default, Auth protects logins against cross-site request forgeries (CSRF). This is actually provided by web2py's standard CSRF protection whenever forms are generated in a session. However, under some circumstances, the overhead of creating a session for login,password request and reset attempts may be undesirable. DOS attacks are theoretically possible. CSRF protection can be disabled for Auth forms (as of v 2.6):* *Auth = Auth(..., csrf_prevention = False)* *Note that doing this purely to avoid session overload on a busy site is not recommended because of the introduced security risk. Instead, see the Deployment chapter for advice on reducing session overheads...* So accurate indeed, I'll look deeply the deployment chapter as stated, now that I know the CSRF verification can be bypassed it kinda feels wrong if deactivating that security mecanism... So, will look into overhead, because... This is a backend prototype for Internet of Things... So, overhead, better have the right control. It will be kinda busy as for it's role we want to implement (you can imagine because the requests to server from embedded devices, if everything goes fine, tons of them). I proposed web2py after some noob research, noob because It's a pretty new topic for the rush of businesses growing and asking for IoT solutions and for the time aI was given to build a functional prototype that can migrate or stay at the hosting we have, change from sqlite to MySQL, change from Rocket to Apache and eventually secure it and scalate it. So, web2py is the shot. I trully want to know your opinion! :D Thanks a lot! Buena vibra! -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.
Wow! The thing is become more clear post after post! In this case (IoT), I suggest that you, in the FIRST place, starts with a python client (like suggested in the Bruno slice before). And ONLY when things go right you turn to implement the Android (or whatever platform) way. This will isolate your problems and toward you to the solution, step by step. I think that the messages of Massimo and Leonel do, in the essence, the same thing that Bruno's post, but with some more refinement. Try what you feel more comfortable! Best regards, José Ricardo Borba 2015-08-05 13:04 GMT-03:00 Jon M. lej...@gmail.com: That was fast, thanks! :D * *... By default, Auth protects logins against cross-site request forgeries (CSRF). This is actually provided by web2py's standard CSRF protection whenever forms are generated in a session. However, under some circumstances, the overhead of creating a session for login,password request and reset attempts may be undesirable. DOS attacks are theoretically possible. CSRF protection can be disabled for Auth forms (as of v 2.6):* *Auth = Auth(..., csrf_prevention = False)* *Note that doing this purely to avoid session overload on a busy site is not recommended because of the introduced security risk. Instead, see the Deployment chapter for advice on reducing session overheads...* So accurate indeed, I'll look deeply the deployment chapter as stated, now that I know the CSRF verification can be bypassed it kinda feels wrong if deactivating that security mecanism... So, will look into overhead, because... This is a backend prototype for Internet of Things... So, overhead, better have the right control. It will be kinda busy as for it's role we want to implement (you can imagine because the requests to server from embedded devices, if everything goes fine, tons of them). I proposed web2py after some noob research, noob because It's a pretty new topic for the rush of businesses growing and asking for IoT solutions and for the time aI was given to build a functional prototype that can migrate or stay at the hosting we have, change from sqlite to MySQL, change from Rocket to Apache and eventually secure it and scalate it. So, web2py is the shot. I trully want to know your opinion! :D Thanks a lot! Buena vibra! -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- José Ricardo Borba -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: CSRF Forbidden 403 when POST from mobile device.
@Anthony, the HTTPS protocol is not yet implemented, first we need the transactions fully working, so HTTP protocol is used meanwhile. We're not using web browsers, is the Android App that generates a POST with JSON request, that is: {entry_value=data_used_by_functions} As if you were using curl for generating POSTs, the auth is provided with credential, classic username and password strings (for now). Yes, I understand you are not using a browser. Nevertheless, whatever client you are using to make the post request, the server is clearly requiring you to set the Referer header. @Anthony, @Dave_S, as said above, the Android sends this vía web with HTTP with JSON, the development is done in a PC connected to local LAN, so, the Android device with it's own native application generates curl like request, and sends it to the PC's IP within the LAN. And in another version of the same native Android app, it communicates to the same web2py project hosted in pythonanywhere. The guys in pythonanywhere told me that the issue has nothing to do with the server provided by them, they said that the CSRF token could be expired. I can't speak for pythonanywhere, but web2py is not generating that HTML response (try searching the web2py repo for any of the text contained in that response). web2py only uses CSRF tokens with forms created via FORM and SQLFORM, and it never reports errors regarding CSRF failures. Something in between the Android app and web2py is rejecting the request and returning this response. Maybe do some logging and/or inspection of requests/responses on the client to help figure out the source of the problem (e.g., what are the response headers when you receive this error). Could the issue be the: auth.settings.allow_basic_login = True @auth.requires_login() I don't think so. Though you don't need to bother decorating functions that are only called by other functions (you only need to decorate actions accessible via URL -- internal functions should be made private, which you can do by giving them arguments, preceding their names with a double underscore, or moving them out of the controller). Anthony -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: CSRF Forbidden 403 when POST from mobile device.
Wow, thanks! I can feel the love here at the forums! @José, I'll make the Bruno's approach at local PC in order to apply those good practices exposed without risk, failure isolation has my attention and I'm definitely in favor of isolation, so, will do, and catch up more with clients as stated. @Anthony, As for the HTTP referrer, I will do that in order to catch the information and see if there's something between those two entities. I'm not sure if it will be soon (because of showcases and testing stuff here), but I'll be keeping up the information feeding about that CSRF Forbidden Issue. Thank you for the good practices too, I'll apply the right changes at the right time (again, because of showcase stuff, those concept showing meetings struggle the dev team, kinda common I guess, so I'll do it in my free time). I'll be in touch, if someone has another thought, idea or opinion, please feel free to do it! -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.
On Wednesday, August 5, 2015 at 11:50:32 AM UTC-4, José Borba wrote: Additionally, this[1] part of web2py book can help you too. * *... By default, Auth protects logins against cross-site request forgeries (CSRF). This is actually provided by web2py's standard CSRF protection whenever forms are generated in a session. However, under some circumstances, the overhead of creating a session for login,password request and reset attempts may be undesirable. DOS attacks are theoretically possible. CSRF protection can be disabled for Auth forms (as of v 2.6):* *Auth = Auth(..., csrf_prevention = False)* *Note that doing this purely to avoid session overload on a busy site is not recommended because of the introduced security risk. Instead, see the Deployment chapter for advice on reducing session overheads...* [1] - http://web2py.com/books/default/chapter/29/09/access-control Note, the above is not relevant in this case. web2py only employs CSRF protection with forms created via FORM and SQLFORM (including the Auth forms), but in this case, no Auth forms are being used, as basic auth is being used for login. In fact, with basic auth, CRSF protection is not relevant, as the login credentials are being passed on every request (yet, you don't want to set csrf_protection=False, in case you are still making the default Auth actions available, as they do rely on forms). Anthony -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.
On Wednesday, August 5, 2015 at 11:46:15 AM UTC-4, José Borba wrote: Hi, Jon, Now its more clear to me what you really need. Maybe this slice from Bruno[1] can help you. I think that YES. ;-) [1] - http://www.web2pyslices.com/slice/show/1533/restful-api-with-web2py Note, this is documented in the book as well (with some additional options and details): http://web2py.com/books/default/chapter/29/10/services#Restful-Web-Services Anthony -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [web2py] Re: CSRF Forbidden 403 when POST from mobile device.
Thanks for clarifying, Anthony. 2015-08-05 14:40 GMT-03:00 Anthony abasta...@gmail.com: On Wednesday, August 5, 2015 at 11:46:15 AM UTC-4, José Borba wrote: Hi, Jon, Now its more clear to me what you really need. Maybe this slice from Bruno[1] can help you. I think that YES. ;-) [1] - http://www.web2pyslices.com/slice/show/1533/restful-api-with-web2py Note, this is documented in the book as well (with some additional options and details): http://web2py.com/books/default/chapter/29/10/services#Restful-Web-Services Anthony -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- José Ricardo Borba -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: CSRF Forbidden 403 when POST from mobile device.
Note, unless you are sending/receiving cookies, there is no real point to using the session, as it will not persist from request to request anyway (and you don't appear to be using it for that purpose). Instead, if you need some value to be set in one function and then accessed in another function, just pass the value as an argument from the first function to the second (this also makes testing easier). Another option is to create a class and use methods operating on the object. Anthony auth.settings.allow_basic_login = True @auth.requires_login() *def* raw_json_read(): # The mobile POST hits here first. *if* request.env.request_method == 'POST': session.processing_frame = request.post_vars['entry_value'] the_result = frame_reading() *return* the_result *return* 400 auth.settings.allow_basic_login = True @auth.requires_login() *def* frame_reading(): # Then here... # Omitted code session.persistence_last_reload = 0 # Found that it didn't have the prefix 'session' and the dot of course. Might be the issue, might be not... #Omitted Code frame_input = session.processing_frame or redirect(URL('index')) status_message = read_frame_validation(frame_input) * if* status_message == 210: return_value = session.persistence_load_reading *return* return_value # Omitted code *elif* status_message == 245: return_value = session.persistence_last_reload *return* return_value # Omitted code *else*: *return* status_message auth.settings.allow_basic_login = True @auth.requires_login() *def* read_frame_validation(frame_to_split): # Omitted validation code... *elif* int(string_list[2]) == 7: # Her'es the option that sends back information to mobile device time_list = [] read_list = [] the_chain = refill_rows = db((db.DataInformation.request_type == 2) \ (db.DataInformation.id_device == id_device) \ (db.DataInformation.id_user == auth.user_id)).select(db.DataInformation.timestamp_string, db.DataInformation.reading, orderby =~ db.DataInformation.id, limitby=(0,6)) *if* len(refill_rows) == 0: *return* 204 *for* row in refill_rows: time_list.append(row['timestamp_string']) read_list.append(row['reading']) the_chain = | + ,.join(map(str, time_list)) + | + ,.join( map(str, read_list)) + | session.persistence_last_reload = the_chain *return* 245 # Then, the whole way back to response. The HTML page that i get is this one: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN http://www.w3.org/TR/html4/loose.dtd; html lang=en head meta http-equiv=content-type content=text/html; charset=utf-8 meta name=robots content=NONE,NOARCHIVE title403 Forbidden/title style type=text/css html * { padding:0; margin:0; } body * { padding:10px 20px; } body * * { padding:0; } body { font:small sans-serif; background:#eee; } bodydiv { border-bottom:1px solid #ddd; } h1 { font-weight:normal; margin-bottom:.4em; } h1 span { font-size:60%; color:#666; font-weight:normal; } #info { background:#f6f6f6; } #info ul { margin: 0.5em 4em; } #info p, #summary p { padding-top:10px; } #summary { background: #ffc; } #explanation { background:#eee; border-bottom: 0px none; } /style /head body div id=summary h1Forbidden span403)/span/h1 pCSRF verification failed. Request aborted./p pYou are seeing this message because this HTTPS site requires a 'Referer header' to be sent by your Web browser, but none was sent. This header is required for security reasons, to ensure that your browser is not being hijacked by third parties./p pIf you have configured your browser to disable 'Referer' headers, please re-enable them, at least for this site, or for HTTPS connections, or for 'same-origin' requests./p /div div id=explanation psmallMore information is available with DEBUG=True./small/p /div /body /html -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: CSRF Forbidden 403 when POST from mobile device.
I'll make good use of your recommendations, will evaluate the session persistence variables, in order to distinguish the parameters between functions, and/or (will think and test) get rid of session or leave them for good, because of the upcoming views that will display in admin interface or something like that. When the views are implemented, certainly won't erase the CSRF flag, and start to plan a code implementation for the right use of web forms. Will keep in touch! Jon ¡Buena vibra! :D -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: CSRF Forbidden 403 when POST from mobile device.
The problem is stated right in the returned HTML: You are seeing this message because this HTTPS site requires a 'Referer header' to be sent by your Web browser, but none was sent. This header is required for security reasons, to ensure that your browser is not being hijacked by third parties. You have to set a Referer header. Note, the above response is not being returned by web2py -- the web server must be configured to reject requests without Referer headers (so the request isn't even getting to web2py). Anthony On Tuesday, August 4, 2015 at 4:00:37 PM UTC-4, Jon M. wrote: Greetings again!!! THANKS FOR YOUR EARLY ANSWER! I'm very sorry for being late... Kinda busy and daily life stuff goin' on. Well, the issue happens with these functions. The android device sends a POST request in order to get some data, every 30 secs. To this functions... Obviously. http://localhost's-ip:8000/project/default/raw_json_read/entries.json default.py # Omitted code... auth.settings.allow_basic_login = True @auth.requires_login() *def* raw_json_read(): # The mobile POST hits here first. *if* request.env.request_method == 'POST': session.processing_frame = request.post_vars['entry_value'] the_result = frame_reading() *return* the_result *return* 400 auth.settings.allow_basic_login = True @auth.requires_login() *def* frame_reading(): # Then here... # Omitted code session.persistence_last_reload = 0 # Found that it didn't have the prefix 'session' and the dot of course. Might be the issue, might be not... #Omitted Code frame_input = session.processing_frame or redirect(URL('index')) status_message = read_frame_validation(frame_input) * if* status_message == 210: return_value = session.persistence_load_reading *return* return_value # Omitted code *elif* status_message == 245: return_value = session.persistence_last_reload *return* return_value # Omitted code *else*: *return* status_message auth.settings.allow_basic_login = True @auth.requires_login() *def* read_frame_validation(frame_to_split): # Omitted validation code... *elif* int(string_list[2]) == 7: # Her'es the option that sends back information to mobile device time_list = [] read_list = [] the_chain = refill_rows = db((db.DataInformation.request_type == 2) \ (db.DataInformation.id_device == id_device) \ (db.DataInformation.id_user == auth.user_id)).select(db.DataInformation.timestamp_string, db.DataInformation.reading, orderby =~ db.DataInformation.id, limitby=(0,6)) *if* len(refill_rows) == 0: *return* 204 *for* row in refill_rows: time_list.append(row['timestamp_string']) read_list.append(row['reading']) the_chain = | + ,.join(map(str, time_list)) + | + ,.join( map(str, read_list)) + | session.persistence_last_reload = the_chain *return* 245 # Then, the whole way back to response. The HTML page that i get is this one: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN http://www.w3.org/TR/html4/loose.dtd; html lang=en head meta http-equiv=content-type content=text/html; charset=utf-8 meta name=robots content=NONE,NOARCHIVE title403 Forbidden/title style type=text/css html * { padding:0; margin:0; } body * { padding:10px 20px; } body * * { padding:0; } body { font:small sans-serif; background:#eee; } bodydiv { border-bottom:1px solid #ddd; } h1 { font-weight:normal; margin-bottom:.4em; } h1 span { font-size:60%; color:#666; font-weight:normal; } #info { background:#f6f6f6; } #info ul { margin: 0.5em 4em; } #info p, #summary p { padding-top:10px; } #summary { background: #ffc; } #explanation { background:#eee; border-bottom: 0px none; } /style /head body div id=summary h1Forbidden span403)/span/h1 pCSRF verification failed. Request aborted./p pYou are seeing this message because this HTTPS site requires a 'Referer header' to be sent by your Web browser, but none was sent. This header is required for security reasons, to ensure that your browser is not being hijacked by third parties./p pIf you have configured your browser to disable 'Referer' headers, please re-enable them, at least for this site, or for HTTPS connections, or for 'same-origin' requests./p /div div id=explanation psmallMore information is available with DEBUG=True./small/p /div /body /html -- Resources:
[web2py] Re: CSRF Forbidden 403 when POST from mobile device.
On Tuesday, August 4, 2015 at 3:19:27 PM UTC-7, Anthony wrote: The problem is stated right in the returned HTML: You are seeing this message because this HTTPS site requires a 'Referer header' to be sent by your Web browser, but none was sent. This header is required for security reasons, to ensure that your browser is not being hijacked by third parties. You have to set a Referer header. Note, the above response is not being returned by web2py -- the web server must be configured to reject requests without Referer headers (so the request isn't even getting to web2py). I understood the Android to be talking to web2py locally, and web2py was making the request of the remote server: On Tuesday, August 4, 2015 at 4:00:37 PM UTC-4, Jon M. wrote: Greetings again!!! THANKS FOR YOUR EARLY ANSWER! I'm very sorry for being late... Kinda busy and daily life stuff goin' on. Well, the issue happens with these functions. The android device sends a POST request in order to get some data, every 30 secs. To this functions... Obviously. http://localhost's-ip:8000/project/default/raw_json_read/entries.json However, if I'm reading it correctly, the request to the remote server is in the omitted code. But if I'm right, then that code is what needs to set the referrer heading. Not that I'm incapable of being confused here. /dps default.py # Omitted code... auth.settings.allow_basic_login = True @auth.requires_login() *def* raw_json_read(): # The mobile POST hits here first. *if* request.env.request_method == 'POST': session.processing_frame = request.post_vars['entry_value'] the_result = frame_reading() *return* the_result *return* 400 auth.settings.allow_basic_login = True @auth.requires_login() *def* frame_reading(): # Then here... # Omitted code session.persistence_last_reload = 0 # Found that it didn't have the prefix 'session' and the dot of course. Might be the issue, might be not... #Omitted Code frame_input = session.processing_frame or redirect(URL('index')) status_message = read_frame_validation(frame_input) * if* status_message == 210: return_value = session.persistence_load_reading *return* return_value # Omitted code *elif* status_message == 245: return_value = session.persistence_last_reload *return* return_value # Omitted code *else*: *return* status_message auth.settings.allow_basic_login = True @auth.requires_login() *def* read_frame_validation(frame_to_split): # Omitted validation code... *elif* int(string_list[2]) == 7: # Her'es the option that sends back information to mobile device time_list = [] read_list = [] the_chain = refill_rows = db((db.DataInformation.request_type == 2) \ (db.DataInformation.id_device == id_device) \ (db.DataInformation.id_user == auth.user_id)).select(db.DataInformation.timestamp_string, db.DataInformation.reading, orderby =~ db.DataInformation.id, limitby=(0,6)) *if* len(refill_rows) == 0: *return* 204 *for* row in refill_rows: time_list.append(row['timestamp_string']) read_list.append(row['reading']) the_chain = | + ,.join(map(str, time_list)) + | + ,.join( map(str, read_list)) + | session.persistence_last_reload = the_chain *return* 245 # Then, the whole way back to response. The HTML page that i get is this one: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN http://www.w3.org/TR/html4/loose.dtd; html lang=en head meta http-equiv=content-type content=text/html; charset=utf-8 meta name=robots content=NONE,NOARCHIVE title403 Forbidden/title style type=text/css html * { padding:0; margin:0; } body * { padding:10px 20px; } body * * { padding:0; } body { font:small sans-serif; background:#eee; } bodydiv { border-bottom:1px solid #ddd; } h1 { font-weight:normal; margin-bottom:.4em; } h1 span { font-size:60%; color:#666; font-weight:normal; } #info { background:#f6f6f6; } #info ul { margin: 0.5em 4em; } #info p, #summary p { padding-top:10px; } #summary { background: #ffc; } #explanation { background:#eee; border-bottom: 0px none; } /style /head body div id=summary h1Forbidden span403)/span/h1 pCSRF verification failed. Request aborted./p pYou are seeing this message because this HTTPS site requires a 'Referer header' to be sent by your Web browser, but none was sent. This header
[web2py] Re: CSRF Forbidden 403 when POST from mobile device.
Greetings again!!! THANKS FOR YOUR EARLY ANSWER! I'm very sorry for being late... Kinda busy and daily life stuff goin' on. Well, the issue happens with these functions. The android device sends a POST request in order to get some data, every 30 secs. To this functions... Obviously. http://localhost's-ip:8000/project/default/raw_json_read/entries.json default.py # Omitted code... auth.settings.allow_basic_login = True @auth.requires_login() *def* raw_json_read(): # The mobile POST hits here first. *if* request.env.request_method == 'POST': session.processing_frame = request.post_vars['entry_value'] the_result = frame_reading() *return* the_result *return* 400 auth.settings.allow_basic_login = True @auth.requires_login() *def* frame_reading(): # Then here... # Omitted code session.persistence_last_reload = 0 # Found that it didn't have the prefix 'session' and the dot of course. Might be the issue, might be not... #Omitted Code frame_input = session.processing_frame or redirect(URL('index')) status_message = read_frame_validation(frame_input) * if* status_message == 210: return_value = session.persistence_load_reading *return* return_value # Omitted code *elif* status_message == 245: return_value = session.persistence_last_reload *return* return_value # Omitted code *else*: *return* status_message auth.settings.allow_basic_login = True @auth.requires_login() *def* read_frame_validation(frame_to_split): # Omitted validation code... *elif* int(string_list[2]) == 7: # Her'es the option that sends back information to mobile device time_list = [] read_list = [] the_chain = refill_rows = db((db.DataInformation.request_type == 2) \ (db.DataInformation.id_device == id_device) \ (db.DataInformation.id_user == auth.user_id)).select(db.DataInformation.timestamp_string, db.DataInformation.reading, orderby =~ db.DataInformation.id, limitby=(0,6)) *if* len(refill_rows) == 0: *return* 204 *for* row in refill_rows: time_list.append(row['timestamp_string']) read_list.append(row['reading']) the_chain = | + ,.join(map(str, time_list)) + | + ,.join(map (str, read_list)) + | session.persistence_last_reload = the_chain *return* 245 # Then, the whole way back to response. The HTML page that i get is this one: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN http://www.w3.org/TR/html4/loose.dtd; html lang=en head meta http-equiv=content-type content=text/html; charset=utf-8 meta name=robots content=NONE,NOARCHIVE title403 Forbidden/title style type=text/css html * { padding:0; margin:0; } body * { padding:10px 20px; } body * * { padding:0; } body { font:small sans-serif; background:#eee; } bodydiv { border-bottom:1px solid #ddd; } h1 { font-weight:normal; margin-bottom:.4em; } h1 span { font-size:60%; color:#666; font-weight:normal; } #info { background:#f6f6f6; } #info ul { margin: 0.5em 4em; } #info p, #summary p { padding-top:10px; } #summary { background: #ffc; } #explanation { background:#eee; border-bottom: 0px none; } /style /head body div id=summary h1Forbidden span403)/span/h1 pCSRF verification failed. Request aborted./p pYou are seeing this message because this HTTPS site requires a 'Referer header' to be sent by your Web browser, but none was sent. This header is required for security reasons, to ensure that your browser is not being hijacked by third parties./p pIf you have configured your browser to disable 'Referer' headers, please re-enable them, at least for this site, or for HTTPS connections, or for 'same-origin' requests./p /div div id=explanation psmallMore information is available with DEBUG=True./small/p /div /body /html -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[web2py] Re: CSRF Forbidden 403 when POST from mobile device.
We need to see some code, how you are making the post request, and the exact response received. On Tuesday, July 28, 2015 at 6:30:18 PM UTC-4, Jon M. wrote: Greetins community! Thanks for passing by, hope we can get nice data from this issue. So, we're creating a backend application that receives POST petitions with basic http auth from an Android app, no cookies r advanced topics for sessions, I want to get there, but I'm kinda new to this... This Android app, sends every 30 seconds POST petitions in order to receive data from database tables. This only occurs from time to time and only before 10AM (GMT -6), yeah, we're in Mexico and the server is hosted by pythonanywhere.com. Excelent service BTW, but we're having this issue. I might ask to them too in case the service plan is truncating requests. And I'm asking here, in case I'm doing something wrong with the petitions or misusing the basic http auth. If you need more details, I can provide them... Thanks a lot! ¡Buena vibra! -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.