11

So I am trying to understand what to do here... I am doing a POST call to my Django server from iOS and I keep getting the 403 Error (Invalid CSRF Token). I am thinking about implementing a function that will return me the token (you will need to be logged in to access that function), and then add the token to my POST call.

Now... I don't understand what is the point of doing that? If I use TastyPie and the required login is APIKey... should I just exempt the csrf check?

To make sure I understand things right... is the CSRF generated per user session? Therefore, if I don't use Cookies, CSRF is not necessary?

How do people usually use their Django Servers with an iOS and making such POST calls?

Thanks!

abisson
  • 3,975
  • 9
  • 42
  • 66

2 Answers2

11

You're right: if you don't use cookies to manage your sessions, you don't need CSRF protection. CSRF works because session cookies are automatically attached to the request; access tokens are not.

I personally found this article very useful. It is definitely worth reading, and would probably answer a lot of your questions.

As for tastypie: it allows SessionAuthentication. If you allow session authentication in tastypie, I suggest you look into a way to protect your users against CSRF. For other authentication schemes this doesn't seem necessary. As far as I know, Dmitry is right about tastypie disabling CSRF by default, which means it is strange that you get that 403 Error. Perhaps there is something else going on. Try wrapping the view in @csrf_exempt.

As for CSRF tokens, they are also called session independent nonces. They are meant to be permanent, but you probably know that is impossible for cookies. Anyway, this means that CSRF cookies persist through sessions.

Teisman
  • 1,207
  • 2
  • 13
  • 26
2

You're right, CSRF does not make much sense in this case, because its purpose is to protect users from data tampering in a browser.

I believe that Tastypie disables CSRF on its views by default.

Dmitry Shevchenko
  • 28,728
  • 10
  • 52
  • 62