[Haskell-cafe] Yesod CSRF token

Geraldus heraldhoi at gmail.com
Wed Feb 17 18:14:17 UTC 2016


Can you share your code?

If you make your POST requests via forms make sure that you generation
forms with Yesod functions, in this case it will insert hidden field with
CSRF token to resulting form widget automatically.  If you sending requests
via XHR make sure to use `defaultCsrfMiddleware` from Yesod.Core.

Hope this helps.

ср, 17 февр. 2016 г. в 15:38, fr33domlover <fr33domlover at riseup.net>:

> Hello,
>
> I started a new Yesod web app few days ago. I'm using stack, LTS-5.1, and
> the
> yesod-postgres scaffolding.
>
> When I try to log in into my new minimal app, I get an error: A valid CSRF
> token wasn't present in HTTP headers or POST parameters. That's because the
> POST request doesn't include that token for some reason. But I don't know
> why.
>
> I found a recent PR which removes the CSRF token checking from the
> scaffolding,
> but I do want CSRF protection to work. As a Yesod beginner, I'm not sure
> exactly why the token doesn't get inserted where it should (the Yesod book
> says
> yesod-form does insert it, so I assume this is a bug here) and how I can
> fix
> that. Even if I inserted the token manually into the login form, what
> about all
> the other POST requests my app may use, such as logout?
>
> I also found a commit that adds the token to the redirectToPost function in
> yesod-core, but
>
> (1) It's in the most recent release, not in LTS
> (2) I'm not sure it has anything to do with it because it seems to be some
> sort
> of JS based form
>
> Anyone knows whether this is a known issue and how to fix it?
>
>
>
> Thanks!
> --fr33
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
> http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.haskell.org/pipermail/haskell-cafe/attachments/20160217/17448c5d/attachment.html>


More information about the Haskell-Cafe mailing list