1

I have a login page Mayan EDMS that's running on django. You would usually login by entering username and password and clicking on the login button. What I need to achieve instead is from my server side which is running on sailsjs to post this username and password. How can I do This?

This is what I tried but received a 403 Forbidden message.

$.post({
 Url: "https://mayan/authentication/login/",
 Data:"username=admin&password=mypass&next=/",
 Success: function(data){
  Console.log(data);
 }
});

As i understand it, a csrf token is required, so what i did was to disable the csrf token authentication using "csrf_excempt" in urls.py as suggested by this post: How to exempt CSRF Protection on direct_to_template

I modified it to "url(r'^login/&', csrf_exempt(login_view), name='login_view')", but when I tried posting the username and password I still get the 403 forbidden. So i am confused, is this correct? Am i only excepting csrf on the login view? Or do i need to somehow exempt the login function or something like that? I have zero knowledge on how python works and struggling to find out.

Cherple
  • 725
  • 3
  • 10
  • 24
  • You forgot to include the CSRF token in the `data` property. Take a look at https://docs.djangoproject.com/en/1.11/ref/csrf/#ajax. – nik_m Aug 23 '17 at 03:28
  • In my cookies, I don't have csrftoken. But I do have ckCsrfToken, are they the same? – Cherple Aug 23 '17 at 05:49
  • The csrf token is generated each time the page loads (renders). The `ckCsrfToken` may be it. Who is setting this? Django? Other? Can you answer this question? – nik_m Aug 23 '17 at 05:59
  • I am not sure.. so I tried "data:csrftoken=&username=admin........", but I'm still getting the same 403 Forbidden message, is there something wrong with the way I am posting? – Cherple Aug 23 '17 at 06:05
  • You have to be sure where this `ckCsrfToken` comes from. Who is generating that? – nik_m Aug 23 '17 at 06:37
  • I have never used django before and it was set up by someone else. Is there any way I could find out? – Cherple Aug 23 '17 at 08:43
  • If you have never used Django before, then you **should** complete successfully the official [django tutorial](https://docs.djangoproject.com/en/1.11/intro/tutorial01/) for a better understanding of how all things work/glue together.It may take you some (short) time but in the end you'll have a better understanding! – nik_m Aug 23 '17 at 12:09
  • The thing is I'm not the one who set the django part up. Is it possible for you to briefly guide me on where this csrftoken is supposed to be generated from? I have zero knowledge on python as well. Would appreciate if you could point me in a direction as I've been stuck on this for weeks. – Cherple Aug 24 '17 at 04:56
  • I looked at the demo.. csrftoken is set in the cookie while the post header contains csrfmiddlewaretoken.. am I supposed to set csrftoken in cookie when I post? Or am I supposed to post the csrftoken in my post? – Cherple Aug 25 '17 at 04:02
  • Either way it'll work. Either set the header `X-CSRFToken header` to the value of the csrf token or post the csrf token (as a hidden field) with your form. – nik_m Aug 25 '17 at 04:29
  • You mean set a request header X-CSRFToken? – Cherple Aug 25 '17 at 04:32
  • Yes. Exactly that. Did you look at [this](https://docs.djangoproject.com/en/1.11/ref/csrf/#ajax)? – nik_m Aug 25 '17 at 04:34
  • I attempted to exempt the csrf token by following this:https://stackoverflow.com/questions/11610306/how-to-exempt-csrf-protection-on-direct-to-template. I modified it to "url(r'^login/&', csrf_exempt(login_view), name='login_view')", but when I tried posting the username and password I still get the 403 forbidden – Cherple Aug 28 '17 at 06:10

0 Answers0