9

So I'm trying to POST form data to my colleague's site in order login (simple username and password) from my iPhone app. However, it appears that I need a CSRF Token in order to post. I've done a lot of research on this and from what I can obtain this token from the csrftoken cookie ( I read that here: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/) using a GET request. The problem is, I don't know what exactly to do with this GET request? Where do I get from?

Here is the code so far for my post request:

NSURL *url = [NSURL URLWithString:SERVER_ADDRESS];
NSData* postData= //Some form data
NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:url];
[request setHTTPMethod:@"POST"];
[request setValue:[NSString stringWithFormat:@"%d", postData.length] forHTTPHeaderField:@"Content-Length"];
[request setValue:@"application/x-www-form-urlencoded charset=utf-8" forHTTPHeaderField:@"Content-Type"];
[request setHTTPBody:postData];

[request addValue:token forHTTPHeaderField:@"X-CSRFToken"];  //Where do I get this token from

NSURLConnection *connection = [[NSURLConnection alloc] initWithRequest:request
                                                              delegate:self];
[connection start];

I know there are a lot of similar posts to this on StackOverflow, but I haven't found any with an answer that seems complete. Usually it just directs me to the link above which is only filled with AJAX related info. Help would be much appreciated!

Joey Franklin
  • 6,423
  • 7
  • 25
  • 22
  • 1
    the csrf token is in a cookie, by default `csrftoken` that will be recieved for the same view in the same session. You'll need to do another request before posting to obtain this cookie. – SingleNegationElimination Jan 12 '13 at 21:31
  • 1
    Did you find a solution to this problem? – Rodrigo Ruiz Jul 10 '14 at 19:19
  • 1
    Any form on your buddy's website should have the token in the form. You could parse the html from any form on the site. Otherwise, ask him to make a page on the site that just displays a csrf token. – gcdev Sep 03 '14 at 19:47

2 Answers2

0

As pointed out in the comments you could either parse it from any page containing a form on your friend's website.

If you want one for your own ask him to render this template at /ios/

ios.html:

{% csrftoken %}

Then launch a GET request:2 You can parse the value of the token with a regex:

NSString *regex = @"csrfmiddlewaretoken\".*?\"\(.*?\)\"";

Finally you have to set the value of the X-CSRFToken on your following HTTP POST requests.

Community
  • 1
  • 1
Sebastian Wozny
  • 16,943
  • 7
  • 52
  • 69
0

in order to login (POST) with the token, of course you have to get the CSRF token first, like you said. if you do a GET call to the login page first (before you follow up with a POST), the result of the login page will return a csrf_token which you can see if you use a browser (with open developer tools pane), and look at the network pane under response content to see the csrftoken cookie set by the server. in my case:

Set-Cookie:csrftoken=PgQEgY3LAynbVeWRIzXoo2VFRLfd8Uqt; expires=Fri, 10-Nov-2017 18:59:54 GMT; Max-Age=31449600; Path=/; secure

after parsing this out of the response, set a header like:

X-CSRFToken: "PgQEgY3LAynbVeWRIzXoo2VFRLfd8Uqt"

in your POST with the login/password info. HTH

matias elgart
  • 1,123
  • 12
  • 18