Good, it works for you, but I am not convinced, your program works as intended. Consider:
Token in HTTP-header (your current fix):
my $res = $ua->request(POST $url,
'user-agent' => 'Mozilla/5.0',
':member_verbosity_threshold' => 0,
':csrf_token' => '2802000000...
+',
#-- not required: 'content-type' => 'application/x
+-www-form-urlencoded',
);
Result:
POST /xxx HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: localhost:5000
User-Agent: Mozilla/5.0
Content-Length: 0
Content-Type: application/x-www-form-urlencoded
csrf_token: 28020000006.....
member_verbosity_threshold: 0
Token in HTTP-body (content) - this is more like what your <FORM ...> example would do:
my $res2 = $ua->request(POST $url,
'user-agent' => 'Mozilla/5.0',
':member_verbosity_threshold' => 0,
#-- not in header: ':csrf_token' => '28020000006..
+...',
Content => [ csrf_token =
+> '28020000006.....', ] #-- but in body
);
Result:
POST /xxx HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: localhost:5000
User-Agent: Mozilla/5.0
Content-Length: 27
Content-Type: application/x-www-form-urlencoded
member_verbosity_threshold: 0
csrf_token=28020000006.....
Hope, that shed some light.
I was also going to nitpick, that you should prepend your non-standard headers with 'X-' (like X-Csrf-Token), but that practise seems discouraged since a couple of years: SO: Custom HTTP headers : naming conventions. Thanks, I learned something new ;-)
|