2

May I know how to implement CSRF using python Flask-WTF library without using cookie as mentioned in the answer of this post (CSRF Token necessary when using Stateless(= Sessionless) Authentication?) by James Ward (http://www.jamesward.com/2013/05/13/securing-single-page-apps-and-rest-services).

Currently I am hosting my application in Google Cloud Run which is serverless and stateless, It runs into a problem that sometime (not all the time) when client side making subsequent ajax request after the first load, it could not find the Session Token created during the first load when the server is auto scale up and down.

Thank you in advance!

Joel T.
  • 402
  • 3
  • 15

1 Answers1

-1

Sample Example on how CSRF is being used.

from flask import Flask
from flask_wtf.csrf import CSRFProtect

app = Flask(__name__)  # initialise the flask app
app.config['SECRET_KEY'] = 'secret!'  # create the secret key

csrf = CSRFProtect(app)  # protect the csrf app
csrf.init_app(app)  # initialise the csrf with the app

Hopefully, this can help you on how CSRF is being used without initialising a cookie

z.yea
  • 73
  • 1
  • 7
  • Hi @z.yea, thanks for your reply. But I think my question was not clear enough. The problem I am facing is that when Cloud Run auto scale up and down the CSRF session token created earlier on the server has gone, then it shows error "The CSRF session token is missing". Is there anyway to solve this problem or without the need of using CSRF session token? My current source code are the same as what you have shown in above. – Joel T. Feb 05 '20 at 09:51