<div dir="ltr">Can you share your code?<div><br></div><div>If you make your POST requests via forms make sure that you generation forms with Yesod functions, in this case it will insert hidden field with CSRF token to resulting form widget automatically. If you sending requests via XHR make sure to use `defaultCsrfMiddleware` from Yesod.Core.</div><div><br></div><div>Hope this helps.</div></div><br><div class="gmail_quote"><div dir="ltr">ср, 17 февр. 2016 г. в 15:38, fr33domlover <<a href="mailto:fr33domlover@riseup.net">fr33domlover@riseup.net</a>>:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
I started a new Yesod web app few days ago. I'm using stack, LTS-5.1, and the<br>
yesod-postgres scaffolding.<br>
<br>
When I try to log in into my new minimal app, I get an error: A valid CSRF<br>
token wasn't present in HTTP headers or POST parameters. That's because the<br>
POST request doesn't include that token for some reason. But I don't know why.<br>
<br>
I found a recent PR which removes the CSRF token checking from the scaffolding,<br>
but I do want CSRF protection to work. As a Yesod beginner, I'm not sure<br>
exactly why the token doesn't get inserted where it should (the Yesod book says<br>
yesod-form does insert it, so I assume this is a bug here) and how I can fix<br>
that. Even if I inserted the token manually into the login form, what about all<br>
the other POST requests my app may use, such as logout?<br>
<br>
I also found a commit that adds the token to the redirectToPost function in<br>
yesod-core, but<br>
<br>
(1) It's in the most recent release, not in LTS<br>
(2) I'm not sure it has anything to do with it because it seems to be some sort<br>
of JS based form<br>
<br>
Anyone knows whether this is a known issue and how to fix it?<br>
<br>
<br>
<br>
Thanks!<br>
--fr33<br>
_______________________________________________<br>
Haskell-Cafe mailing list<br>
<a href="mailto:Haskell-Cafe@haskell.org" target="_blank">Haskell-Cafe@haskell.org</a><br>
<a href="http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe" rel="noreferrer" target="_blank">http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe</a><br>
</blockquote></div>