Python - 将带有请求的csrf标记传递给node.js服务器

时间:2017-06-29 18:07:26

标签: python node.js cookies python-requests

我想尝试使用csrf令牌登录node.js服务器,但它无法正常工作,我很困惑要考虑哪个csrf令牌。

以下是cookie信息:

>>> client.cookies
<RequestsCookieJar[
    Cookie(version=0, name='user.sid', value='s%3Ay-JiI_2cPs0jsnVb_g_KJCU-k9GrGISm.O6SSmsVEMmTzaTWM7btqaZZGUs2WvkZTDc9VfaWlikE', port=None, port_specified=False, domain='.domain.dev', domain_specified=True, domain_initial_dot=True, path='/', path_specified=True, secure=False, expires=None, discard=True, comment=None, comment_url=None, rest={'HttpOnly': None}, rfc2109=False), 
    Cookie(version=0, name='_csrf', value='s%3Ax00MKKqyFl9NHpg-3DVDaUkK.dVDwbGnXl6JGSPP3GrvVe17cYpcZNMX0RrJ8lzSGSHE', port=None, port_specified=False, domain='subdomain.domain.dev', domain_specified=False, domain_initial_dot=False, path='/', path_specified=True, secure=False, expires=None, discard=True, comment=None, comment_url=None, rest={}, rfc2109=False),
    Cookie(version=0, name='_csrfToken', value='18vLBP1L-gaiBFbycylW7475Pyu8HtizLNoA', port=None, port_specified=False, domain='subdomain.domain.dev', domain_specified=False, domain_initial_dot=False, path='/', path_specified=True, secure=False, expires=None, discard=True, comment=None, comment_url=None, rest={}, rfc2109=False)
]>

有两个csrf令牌和一个user.sid。以下是我尝试的代码:

import requests

URL = 'https://subdomain.domain.dev/login'

client = requests.session()

# Retrieve the CSRF token first
client.get(URL, verify=False)  # sets cookie
csrftoken = client.cookies['_csrf']
# csrftoken = client.cookies['_csrfToken']
login_data = dict(
    username=EMAIL,
    password=PASSWORD,
    csrfmiddlewaretoken=csrftoken,
    next='/'
)
r = client.post(
    URL,
    data=login_data,
    headers=dict(Referer=URL)
)

我得到了500 Error,我尝试了两个令牌。

我应该如何发送上述cookie的POST请求。请帮助。感谢

1 个答案:

答案 0 :(得分:0)

import sys
import requests

URL = 'https://xxx.xxxxxxx.xxx/xxxx'

client = requests.session()

# Retrieve the CSRF token first
client.get(URL)  # sets cookie
if 'csrftoken' in client.cookies:
    csrftoken = client.cookies['csrftoken']
else:
    csrftoken = client.cookies['csrf']

login_data = dict(username=EMAIL, password=PASSWORD, csrfmiddlewaretoken=csrftoken, next='/')
r = client.post(URL, data=login_data, headers=dict(Referer=URL))

尽管使用http(不安全),但Referer标头经常被过滤掉,并且无论如何也容易被欺骗,因此大多数站点不再需要设置标头。但是,在使用SSL连接并设置了SSL连接的情况下,让站点确认它至少引用了可能在逻辑上发起了请求的内容确实有意义。

相关问题
最新问题