Saturday, 15 May 2010

python 2.7 - CSRF token mismatch in Apache Flask due to session reset -



python 2.7 - CSRF token mismatch in Apache Flask due to session reset -

i have illustration of csrf protected form runs in development environment (flask runs server app.run) fails when run app via mod_wsgi in apache. versions utilize are:

server version: apache/2.4.4 (unix) python 2.7.3 flask==0.10.1 flask-wtf==0.9.5 wtforms==2.0 flask-kvsession==0.4 simplekv==0.8.4

the reason fails csrf_token mismatch during form validation. log contents of flask.session , flask.request.form @ origin of view , contents of session 1 time again @ end of view. in development mode content of csrf_token in session stays constant across multiple requests, example,

<kvsession {'csrf_token': '79918c1e3191e4d4fe89a9499f576404a18be8e4'}>

the contents of form transmitted correctly in both cases, e.g.,

immutablemultidict([('csrf_token', u'1403778775.86##34f1447f1b8c78808f4e71f2ff037bcd1df41dcd'), ('time', u'8'), ('submit', u'go'), ('dose', u'low')])

when run app via apache session contents reset each request. @ origin of view session contents empty:

<kvsession {}>

and new token set each time leads mismatch. currently, __init__.py module looks follows:

from flask import flask flask.ext.sqlalchemy import sqlalchemy simplekv.memory import dictstore flaskext.kvsession import kvsessionextension app = flask(__name__) app.config.from_object("myapp.config.config") db = sqlalchemy(app) store = dictstore() kvsessionextension(store, app) . import views

i removed kvsession statements , didn't alter problem. think server side sessions not culprit.

and yes, have set secret_key os.urandom(128) in config.

the relevant (i think) section of httpd.conf is:

listen url.com:8090 <virtualhost url.com:8090> # --- configure virtualhost --- loglevel debug servername url.com documentroot /path/to/flaskapp/htdocs <directory /> options followsymlinks allowoverride none </directory> <directory /path/to/flaskapp/htdocs/> options indexes followsymlinks multiviews allowoverride none require granted </directory> # --- configure wsgi listening app(s) --- wsgidaemonprocess mysite user=me group=us processes=2 threads=10 wsgiscriptalias / /path/to/flaskapp/wsgi/wsgi.py <directory /path/to/flaskapp/wsgi/> wsgiprocessgroup mysite wsgiapplicationgroup %{global} wsgiscriptreloading on require granted </directory> # --- configure static files --- alias /static/ /path/to/flaskapp/htdocs/static/ alias /tmp/ /path/to/flaskapp/htdocs/tmp/ </virtualhost>

does know apache settings or mod_wsgi flask interactions cause session not persist between requests?

apache python-2.7 flask csrf flask-wtforms

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)