Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Sending CSRF Tokens via Postman

Tags:

post

django

csrf

get

postman

I'm trying to test my web server's login with Postman. First, I send a GET request to my login url, and I get a CSRF token as a cookie. Then, I make a POST request to that login page, with my username, password, and CSRF token.

My problem is, when I do this in Postman, I get a 403 forbidden error when I try to make that POST request to login. I'm copying the CSRF token received and putting it as one of the POST parameters, and I'm using a valid username and password. Is there anything I'm overlooking here?

like image 502
WhoopsBing Avatar asked Apr 04 '17 01:04

WhoopsBing

People also ask

How to share CSRF token between multiple requests in Postman?

Jerry suggested using an environment variable in Postman to share CSRF token between 2 (or more) requests. Where the first request is getting CSRF token for you and stores it in an environment variable while subsequent requests consume this CSRF token via the variable. Sounds logical.

How to get CSRF token after successful login?

After successful login there is no need to supply username and password to the request, you need only the CSRF token since you already authenticated. You need to set it as a header in the request, not in the body. X-CSRFToken is the key and the value is CSRF token from the cookie.

How to extract the token from the cookie using postman?

Instead, we can use Postman scripting feature to extract the token from the cookie and set it to an environment variable. In Test section of the postman, add these lines. var xsrfCookie = postman.getResponseCookie ("csrftoken"); postman.setEnvironmentVariable ('csrftoken', xsrfCookie.value);

Do you set a session csrfmiddlewaretoken Cookie?

Do you set a session csrfmiddlewaretoken cookie? After successful login there is no need to supply username and password to the request, you need only the CSRF token since you already authenticated. You need to set it as a header in the request, not in the body. X-CSRFToken is the key and the value is CSRF token from the cookie.

1 Answers

You need to set it as a header in the request, not in the body. X-CSRFToken is the key and the value is CSRF token from the cookie. This will work if you are using an API framework like Tastypie or Django Rest Framework.

If you are authenticating without an API layer you would need to actually attach the cookie or create one with the CSRF token. This post explains it.

like image 82
Pratik Mandrekar Avatar answered Sep 27 '22 19:09

Pratik Mandrekar
Sign in to Comment

Related questions

How to load the foreign keys elements in Tastypie
how to include django templates in app installed via pip?
SQLAlchemy conversion of Django annotate
Django: get related set from a related set of a model
Add extra Fields to Django to Django Auth Groups
Getting mongoengine and django rest framework to play nice
How can I get computed elements of a table in a django queryset?
Dumpdata with unmanaged models
Can I have multiple lists in a Django generic.ListView?
Django Admin: How can I override a model verbose_name?
How to sort a list of objects in a template in alphabetic order?
Django: Application labels aren't unique, duplicates: bootstrap3
Django Rest Framework Routers with multiple viewsets
Is using "type" as an attribute name a bad practice?
save a field as JSON using factoryboy
Is django can modify variable value in template?
how to get uploaded file name in django
django best way to pass data to javascript
What's the difference between a Viewsets `create()` and `update()` and a Serializers `create()` and `update()`?
Django is_valid() missing 1 required positional argument: 'self'

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!