Can you share your code? If you make your POST requests via forms make sure that you generation forms with Yesod functions, in this case it will insert hidden field with CSRF token to resulting form widget automatically. If you sending requests via XHR make sure to use `defaultCsrfMiddleware` from Yesod.Core. Hope this helps. ср, 17 февр. 2016 г. в 15:38, fr33domlover :

Hello,

I started a new Yesod web app few days ago. I'm using stack, LTS-5.1, and the yesod-postgres scaffolding.

When I try to log in into my new minimal app, I get an error: A valid CSRF token wasn't present in HTTP headers or POST parameters. That's because the POST request doesn't include that token for some reason. But I don't know why.

I found a recent PR which removes the CSRF token checking from the scaffolding, but I do want CSRF protection to work. As a Yesod beginner, I'm not sure exactly why the token doesn't get inserted where it should (the Yesod book says yesod-form does insert it, so I assume this is a bug here) and how I can fix that. Even if I inserted the token manually into the login form, what about all the other POST requests my app may use, such as logout?

I also found a commit that adds the token to the redirectToPost function in yesod-core, but

(1) It's in the most recent release, not in LTS (2) I'm not sure it has anything to do with it because it seems to be some sort of JS based form

Anyone knows whether this is a known issue and how to fix it?

Thanks! --fr33 _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe