6

I'm getting many failures from the CSRF Django middleware on my site (the version from SVN trunk.) The only errors I get are: CSRF failure: reason=CSRF token missing or incorrect.

How could I diagnose where these CSRF errors are coming from? I can't cause the CSRF errors myself, but I setup the site to email me whenever the CSRF error view is triggered so I know that it is happening often.

MikeN
  • 45,039
  • 49
  • 151
  • 227

4 Answers4

15

I really struggled to get it right, but eventually did. Here were my main issues (Django 1.2 beta):

  1. Make sure your middleware stuff is right, according to the version of Django that you are using. This is well covered in Django's literature online.
  2. Make sure that you have the {% csrf_token %} in each form,just following the opening tag for the form
  3. This was my main problem, make sure that all your forms have an go-to page, i.e. don't do action="" in your form.

  4. Make sure that your settings emails are all the right ones. I had to do something like this:

    EMAIL_HOST='mail.my-domain.com' EMAIL_HOST_USER='my user name on the server' EMAIL_HOST_PASSWORD='passwd' EMAIL_PORT= '26' # often seems to be 25 or 26 on many of the forum posts I read DEFAULT_FROM_EMAIL='noreply@domain.com' # on hosted domains, make sure it is set up and sending SERVER_EMAIL = 'noreply@domain.com' # Same email as above

    1. Add the request_context to the end of your render_to_response

    return render_to_response('contact.htm',{'favicon':r'____.ico', 'more_stuff':"......" 'more_stuff':"......" 'more_stuff':"......" }, context_instance = RequestContext(request))

Make sure you have:

TEMPLATE_CONTEXT_PROCESSORS = (
     "django.contrib.auth.context_processors.csrf",
     .....
   )

in your settings.py file.

Note that this is really not a how to, this is just what I did to get mine working. The reason for posting it now is that I see so many people on forums discussing this topic resort to just turning the csrf_token off.

Vernon
  • 2,703
  • 2
  • 24
  • 30
  • I tried everything on here, no luck. As far as I can tell I'm doing everything by the book. (Django 1.3). Anyone else have any other ideas? I've turned CSFR off for the moment. – araneae Oct 20 '11 at 02:07
  • I'm having similar problems, and do have empty action urls in many forms. Out of interest, what's the reason this causes a problem? I can see here: http://stackoverflow.com/questions/1131781/is-it-a-good-practice-to-use-an-empty-url-for-a-html-forms-action-attribute-a that it's not in the spec, but I wonder why it causes a problem? – bjw Aug 17 '12 at 10:43
  • Also, @araneae Turning off crsf protection without a good reason is a bad idea, and this comment might lead others to do the same. The only case I can see it being necessary to turn off is for some ajax scenarios, and perhaps also taking POST data from third party APIs like Twilio. – bjw Aug 17 '12 at 11:18
2

A CSRF error should happen when the middleware successfully stops a Cross Site Request Forgery attack. Probably the best way to verify that this is the case it to check your web server logs and you should see requests that aren't related to an earlier request.

David Locke
  • 17,926
  • 9
  • 33
  • 53
  • I seem to get CSRF errors on all public pages that do a post and do not have the special key. My workaround was to use the disable_csrf decorator on all public views. – MikeN Dec 20 '09 at 15:40
1

Also you should check the order of the MIDDLEWARE_CLASSES in your settings.py file. Should look something like this:

MIDDLEWARE_CLASSES = (
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.locale.LocaleMiddleware',
)

LocaleMiddleware at the end. For me, the solution was the RequestContext instance and the ordering.

stema
  • 90,351
  • 20
  • 107
  • 135
duckhunt
  • 333
  • 1
  • 6
  • 23
0

Make sure your view function for GET Request looks like this:

def login_view():
c = {}
c.update(csrf(request))
request.session.set_expiry(0)
if request.method == 'GET':
  return render_to_response('newform.html',<b>c</b>)

Then check the view source for your newform.html, it must have Hidden field.

<`form action="" method="post" name="loginform"> <`div style='display:none'`><`input type='hidden' name='csrfmiddlewaretoken' value='6f4dee99ab2f5e7201e057cb63' />

Here, action can refer the same page, action="".

Cosmin
  • 21,216
  • 5
  • 45
  • 60
Yatin Kumbhare
  • 284
  • 2
  • 3
  • 6