iPhone POSTing to Django and gets CSRF verification failed

Question

I send a POST request from IPhone to Django and get "CSRF verification failed", which I can't perfectly understand. I tried to find a good solution over the internet, but I couldn't . is there any simple way to POST to django?

this is my code:

   NSString *post =[NSString stringWithFormat:@"s=aaa&r=k&c=gg"];
NSData *postData = [post dataUsingEncoding:NSUTF8StringEncoding allowLossyConversion:YES];
NSString *postLength = [NSString stringWithFormat:@"%d", [postData length]];
NSMutableURLRequest *request = [[NSMutableURLRequest alloc] init];
[request setURL:[NSURL URLWithString:(@"http://localhost:8000/messages/views/")]];
[request setHTTPMethod:@"POST"];
[request setValue:postLength forHTTPHeaderField:@"Content-Length"];
[request setValue:@"application/x-www-form-urlencoded charset=utf-8" forHTTPHeaderField:@"Content-Type"];
[request setHTTPBody:postData];
NSError *error;
NSURLResponse *response;
NSData *urlData=[NSURLConnection sendSynchronousRequest:request returningResponse:&response error:&error];
NSString *data=[[NSString alloc]initWithData:urlData encoding:NSUTF8StringEncoding];
NSLog(data);

score 7 · Answer 1 · answered Aug 06 '12 at 18:10

7

Am I wrong or it just don't make sense to use this on native app?

In that case, you could just disable this protection using this decorator:

from django.views.decorators.csrf import csrf_exempt
@csrf_exempt
  def view_without_csrf_protection(request):
    pass

answered Aug 06 '12 at 18:10

Pedro Andrade

4,556
1
25
24

Suggesting to not use a CSRF on the view is a workaround that can cause a security problem. It s not a solution for the problem – Martin Massera Jul 17 '19 at 07:53

score 4 · Accepted Answer · edited May 23 '17 at 11:48

4

Normally this boils down to setting the headers correctly. There is an answer that already details this. The relevant part you need is this:

xhr.setRequestHeader("X-CSRFToken", token)

See the linked answer for details on getting the token from the cookies, for brevity I didn't copy it from there. I don't really know the context of your code, so this method of retrieval might not directly apply. Regardless, you need to get the token somehow.

When you have the token, add a header to the NSMutableURLRequest. Upon posting the request, the error should be gone.

[request addValue:token forHTTPHeaderField:@"X-CSRFToken"];

edited May 23 '17 at 11:48

Community

1
1

answered Dec 13 '11 at 10:51

jro

9,300
2
32
37

I still have no idea how to get the token – Amit Hagin Dec 13 '11 at 11:49
Well, the idea with CSRF tokens is that the server has to generate them for you. This means that you cannot POST without receiving a token (via a GET) first. If you want to do this without the GET... that's a bit of an issue, since it would make the entire protection mechanism obsolete. You might be able to create a static token, but then you'll have a problem when someone else figures it out. So... I think you need to determine how (or better, if) you need the protection to be done. – jro Dec 13 '11 at 12:09
so how do I receive the token via GET? – Amit Hagin Dec 13 '11 at 12:14
1

See the [Django docs](https://docs.djangoproject.com/en/dev/ref/contrib/csrf/) on this. Mainly, you render a view to a template. Within that template, use the `{% csrf_token %}` tag. Upon receiving that page in your GET, extract the token, and reuse it in your POST. – jro Dec 13 '11 at 12:17

iPhone POSTing to Django and gets CSRF verification failed

2 Answers2

Linked