Different value of csrf token in response header and browser cookies. csrf verification failing in django 1.9

Question

Most of the SO answers are asking to clear cookies and confirm middleware class. I have already tried that.

Python - 3.4
Django - 1.10
Using VirtualEnv.

I am getting Forbidden (403) CSRF verification failed. Request aborted. error on Django admin login screen. I have hosted my site on pythonanywhere.com with django version 1.9.

I have cleared the browser cookies. All of them.
I reloaded the login screen. Get request.
In browser cookies, which were empty till now, one value has been set for my website, where csrf value is = XPp5hAhylAkt27U4SzGPNU7w8SFBJ3RP
In response header, set cookies was send with cookies value = UT24544MghHLZi0IrGHQlCcpk1v0SbCy . Same value was available in form's source code.
Now I entered the username and password and click on login button.
Received the 403 error CSRF verification failed. Request aborted.
I rechecked all the values of csrf token.
In request header CSRF cookies values = XPp5hAhylAkt27U4SzGPNU7w8SFBJ3RP
In form data csrf values = UT24544MghHLZi0IrGHQlCcpk1v0SbCy
I already have 'django.middleware.csrf.CsrfViewMiddleware', in middleware classes. I cleared browser cache and cookies. Even restarted the system.

I have used exactly same code on different site where it is working perfectly fine.

Why there are different csrf-token values? What is the solution to this problem?

update 1: If I set debug = False in settings, it works fine. But I cant keep it as code is live.

update 2: Upon further investigation I found out that somehow browser cookie csrftoken's value is not being set to correct value which is being passed in response header. If I delete and the cookie from browser and then set it to correct value from console, post requests work.

update 3 : Now same issue is happening with every post request or form submission I am doing on my web app. CSRF token value sent in response header and source code is not same as the one being set in browser cookies.

update 4: Setting CSRF_COOKIE_NAME = "csrf_token" also didn't helped.

Hi Glen, this is admin module, so any form created inside admin module must have csrf token. — Anurag Rana, Jan 27 '17 at 18:20
Read All About {{ csrf_token }} https://docs.djangoproject.com/en/1.10/ref/csrf/ — Jody Fitzpatrick, Feb 01 '17 at 01:50
@User42 How are you sending your csrf token? Using javascript with `var csrftoken = Cookies.get('csrftoken');`? Or Django templating `
{% csrf_token %}`? — Kent Shikama, Feb 02 '17 at 04:57
have you seen this thread http://stackoverflow.com/questions/38302058/django-csrf-cookie-not-set-correctly ? — Dmitry Shilyaev, Feb 03 '17 at 06:20
Are you using some kind of special setup to access that site? E.g. a proxy that changes URLs? Is there maybe any kind of resource in the page your are accessing that sets a different cookie? — Daniel Hepper, Feb 03 '17 at 09:16
@DanielHepper - No special setup. Just using wsgi. Hosted on pythonanywhere.com. Exactly same setup is being used in other website where things are working fine. It looks browser issue to me. 100rupeekar.com -> working fine. 10dollarkart.com -> issue here. — Anurag Rana, Feb 03 '17 at 09:37

score 10 · Accepted Answer · answered Feb 03 '17 at 10:18

10

The unexpected value for the CSRF token is set when the browser tries to fetch the favicon.

The URL you have defined for your favicon seems to be invalid, and apparently, non-existing URLs are handled by your default view. This sets a different CSRF cookie, but the page that is displayed in the browser still has the initial CSRF token in the form.

Request loading the page:

Request loading the favicon:

You can fix this particular error by ensuring that the favicon exists.

Note this this bug will come back whenever any resource you link (e.g. an image) does not exist because your app renders the homepage instead of returning a 404 error.

answered Feb 03 '17 at 10:18

Daniel Hepper

28,981
10
72
75

Thanks a lot Daniel. I am using HomePage view for handling mistyped urls. Is it possible that home page is loaded when someone type wrong url but just ignore when images are not found. – Anurag Rana Feb 04 '17 at 13:07
1

A good solution depends on how you implemented that fallback. It's probably best to ask a new question for that. As a workaround, you could check in your `HomePage` view if `request.path` starts with `/static/` and return a 404 response. – Daniel Hepper Feb 04 '17 at 16:20
Oh my goodness, thank you for posting this. I've been trying to sort this error for a few days now and it absolutely stumped me. Can't believe it was something like this which was causing the error. – Nick Polet May 10 '17 at 00:00
I would have never thought of this! Unfortunately, I set the favicon correctly now, and still I get the same error. :-( – physicalattraction May 21 '17 at 10:29
@DanielHepper why setting debug = False solved this problem? – Amit Tripathi Sep 17 '17 at 05:34
@AmitTripathi I think that this is a typo and that it is the other way around, setting DEBUG = True solves the problem. I'm not sure why it makes a difference, my guess is that Django's static file serving is used in debug mode, which returns a 404 for non-existing files and doesn't set a CSRF token. – Daniel Hepper Sep 17 '17 at 14:54

Different value of csrf token in response header and browser cookies. csrf verification failing in django 1.9

1 Answers1

Linked