Login and Authorization Tokens¶
The API includes as part of responses a X-CSRFToken
response
header that is set to the CSRF token, for example to KEMzraBRygy2ZJ7fLuvbfKhAEIPK9D4s
.
API clients should source the CSRF token from this header.
For background on CSRF, see:
The API also includes as a part of responses a csrftoken
cookie containing the
CSRF token. This cookie is marked httponly
and as such is not readable by browser-based
client scripts. API clients should not try to source the CSRF token from this cookie.
The X-CSRFToken
response header and csrftoken
cookie values are identical.
When performing requests that require CSRF token validation, API clients should follow the general procedure:
Prior to performing the principal request, perform a request to the API and retrieve a CSRF token from the resulting response’s
X-CSRFToken
response header. The CSRF token remains constant for the duration of a session, so clients could perform this request once per session (post authentication), storing the CSRF token and using it for subsequent requests.Clients should also retrieve the
csrftoken
cookie from the response.For the primary request, include a
X-CSRFToken
request header containing the CSRF token as sourced from the response header, as well as the unchangedcsrftoken
cookie.Note
Cookies must conform to https://tools.ietf.org/html/rfc6265
Example for login:
GET http://localhost:8000/login/
Raw response headers:
Cache-Control: max-age=0
Connection: keep-alive
Content-Encoding: gzip
Content-Language: en-us
Content-Type: text/html; charset=utf-8
Date: Mon, 20 Apr 2015 09:18:47 GMT
Expires: Mon, 20 Apr 2015 09:18:47 GMT
Last-Modified: Mon, 20 Apr 2015 09:18:47 GMT
Server: nginx/1.4.6 (Ubuntu)
Set-Cookie: csrftoken=KEMzraBRygy2ZJ7fLuvbfKhAEIPK9D4s;
SameSite=Lax;
httponly;
Path=/
sessionid=5d1ccc96cbd7e7f290020aaedd64c1b3; httponly; Path=/
sso_login_url=; Path=/
Transfer-Encoding: chunked
Vary: Accept-Encoding, Cookie, Accept-Language, X-CSRFToken
X-CSRFToken: KEMzraBRygy2ZJ7fLuvbfKhAEIPK9D4s
Source the CSRF token from response’s
X-CSRFToken
header.Retain the CSRF cookie from response’s
csrftoken
cookie.Now perform the primary POST /login/ request to login, including the CSRF token as a
X-CSRFToken
request header as well as the unchangedcsrftoken
cookie:
POST http://localhost:8000/login/
Raw request headers:
Host: localhost:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8000/login/
Cookie: sessionid=5d1ccc96cbd7e7f290020aaedd64c1b3; csrftoken=KEMzraBRygy2ZJ7fLuvbfKhAEIPK9D4s; sso_login_url=
Connection: keep-alive
X-CSRFToken: KEMzraBRygy2ZJ7fLuvbfKhAEIPK9D4s
With for example payload as parameters:
&username=joe
&password=bloggs
&next=%2F