Answer example to
Modified for to demonstrate failure with latest libraries.
- Start server
> lein ring server
- Get CSRF Token
curl -X GET --cookie-jar cookies "http://localhost:3000/"
Remember CSRF token
- Now send POST request
curl -X POST -v --cookie cookies -F "" --header "X-CSRF-Token: 2BYov8r71IswCQaQAIcvYxrihHRaqAdq5vFRM1zWbl4FzVz7KASo778zBFsq+cGtkLFzXYoUbWd0BqiU" "http://localhost:3000/send"
Result should be "ok"
And without a header it should be
With the latest versions of the compojure (>= 1.2.0) and ring libraries, I get "Invalid..." even with a valid token.
includes anti-forgery by default for POST
requests (and others that modify data).
The use of wrap-defaults routes site-defaults
with wrap-anti-forgery
results in generating the anti-forgery token
twice and thus invalidating the token you receive with a get-request. So, just remove (wrap-anti-forgery)
Copyright © 2013 Eduard Bondarenko.
Distributed under the Eclipse Public License either version 1.0 or (at your option) any later version.