求教 express 3.2 csrf , form提交以后总是报错.
app.configure(function () {
var viewsRoot = path.join(__dirname, 'views');
app.set('view engine', 'jade');
app.set('views', viewsRoot);
app.use(express.cookieParser());
app.use(express.session({
secret: config.session_secret
}));
app.use(express.csrf());
app.use(function(req, res, next){
res.locals.token = req.session._csrf;
next();
});
});
上面是 app.js里的代码, 用的jade框架,form页面能显示出来.
<input type="hidden" name="_csrf" value="4UfvarvZ7xXx_Ylt-1VNhFtX">
但是一提交到另外一个页面:
exports.makenew = function(req,res,next ) {
console.log("here u r. what r u look for?");
console.log(req.body);
}
第一console都不会显示 直接报错:
Express
403 Error: Forbidden
at Object.exports.error (/mydata/myweb/nodejs/node_modules/express/node_modules/connect/lib/utils.js:60:13)
at Object.handle (/mydata/myweb/nodejs/node_modules/express/node_modules/connect/lib/middleware/csrf.js:54:41)
at next (/mydata/myweb/nodejs/node_modules/express/node_modules/connect/lib/proto.js:190:15)
at next (/mydata/myweb/nodejs/node_modules/express/node_modules/connect/lib/middleware/session.js:313:9)
at /mydata/myweb/nodejs/node_modules/express/node_modules/connect/lib/middleware/session.js:337:9
at /mydata/myweb/nodejs/node_modules/express/node_modules/connect/lib/middleware/session/memory.js:50:9
at process._tickCallback (node.js:415:13)
求大神帮忙看看, 谢谢了~
5 回复
csrf原理是比较session._csrf是否等于提交参数的_csrf,具体到楼主的问题,就是session._csrf是否等于req.body._csrf。既然抛出403,两者肯定不相等。根据代码session._csrf没问题,那么很可能就是req.body._csrf出问题了,但是form的_csrf有值,进一步推测req.body为空。req.body为空!?回头一看代码,csrf中间件前面没有bodyParser中间呢。。。。以上。
