[web2py] Re: CSRF Forbidden 403 when POST from mobile device.

[Anthony]

Note, unless you are sending/receiving cookies, there is no real point to 
using the session, as it will not persist from request to request anyway 
(and you don't appear to be using it for that purpose). Instead, if you 
need some value to be set in one function and then accessed in another 
function, just pass the value as an argument from the first function to the 
second (this also makes testing easier). Another option is to create a 
class and use methods operating on the object.

Anthony
 

> auth.settings.allow_basic_login = True
> @auth.requires_login()
> *def* raw_json_read():
>     # The mobile POST hits here first.
>     *if* request.env.request_method == 'POST':
>         session.processing_frame = request.post_vars['entry_value']
>         the_result = frame_reading()
>         *return* the_result
>     *return* 400
>
> auth.settings.allow_basic_login = True
> @auth.requires_login()
> *def* frame_reading():
>     # Then here...
>     # Omitted code
>     session.persistence_last_reload = 0 # Found that it didn't have the 
> prefix 'session' and the dot of course. Might be the issue, might be not... 
>     #Omitted Code
>     frame_input = session.processing_frame or redirect(URL('index'))
>     status_message = read_frame_validation(frame_input)
>    * if* status_message == 210:
>         return_value = session.persistence_load_reading
>         *return* return_value
>     # Omitted code
>     *elif* status_message == 245:
>         return_value = session.persistence_last_reload
>         *return* return_value
>     # Omitted code
>     *else*:
>         *return* status_message
>
> auth.settings.allow_basic_login = True
> @auth.requires_login()
> *def* read_frame_validation(frame_to_split):
>     # Omitted validation code...
>     *elif* int(string_list[2]) == 7:     # Her'es the option that sends 
> back information to mobile device
>         time_list = []
>         read_list = []
>         the_chain = ""
>         refill_rows = db((db.DataInformation.request_type == 2)         & 
> \
>                          (db.DataInformation.id_device == id_device)    & \
>                          (db.DataInformation.id_user == 
> auth.user_id)).select(db.DataInformation.timestamp_string,
>                                                                             
>                          db.DataInformation.reading,
>                                                                               
>                        
> orderby =~ db.DataInformation.id,
>                                                                               
>                        
> limitby=(0,6))
>         *if* len(refill_rows) == 0:
>             *return* 204
>         *for* row in refill_rows:
>             time_list.append(row['timestamp_string'])
>             read_list.append(row['reading'])
>         the_chain = "|" + ",".join(map(str, time_list)) + "|" + ",".join(
> map(str, read_list)) + "|"
>         session.persistence_last_reload = the_chain
>         *return* 245
>         # Then, the whole way back to response.
>
> The HTML page that i get is this one:
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "
> http://www.w3.org/TR/html4/loose.dtd";>
>  <html lang="en">
>  <head>
>  <meta http-equiv="content-type" content="text/html; charset=utf-8">
>  <meta name="robots" content="NONE,NOARCHIVE">
>  <title>403 Forbidden</title>
>  <style type="text/css">
>  html * { padding:0; margin:0; }
>  body * { padding:10px 20px; }
>  body * * { padding:0; }
>  body { font:small sans-serif; background:#eee; }
>  body>div { border-bottom:1px solid #ddd; }
>  h1 { font-weight:normal; margin-bottom:.4em; }
>  h1 span { font-size:60%; color:#666; font-weight:normal; }
>  #info { background:#f6f6f6; }
>  #info ul { margin: 0.5em 4em; }
>  #info p, #summary p { padding-top:10px; }
>  #summary { background: #ffc; }
>  #explanation { background:#eee; border-bottom: 0px none; }
>  </style>
>  </head>
>  <body>
>  <div id="summary">
>  <h1>Forbidden <span😠403)</span></h1>
>  <p>CSRF verification failed. Request aborted.</p>
>  <p>You are seeing this message because this HTTPS site requires a 'Referer
>  header' to be sent by your Web browser, but none was sent. This header is
>  required for security reasons, to ensure that your browser is not being
>  hijacked by third parties.</p>
>  <p>If you have configured your browser to disable 'Referer' headers, 
> please
>  re-enable them, at least for this site, or for HTTPS connections, or for
>  'same-origin' requests.</p>
>  </div>
>  <div id="explanation">
>  <p><small>More information is available with DEBUG=True.</small></p>
>  </div>
>  </body>
>  </html>
>
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.