5

I understand that this error occurs when the csrf token isn't include in the form when submitting, but this is not the case this time.

I am trying to login to the admin site. The admin login form has csrf token included, and I can see the value of that csrf token matches the csrf cookie's value. Also, when I submit, I can see that the same csrf token is posted to the server.

But still, I get the CSRF verification failed message. I am sure if I clear the cookies it will work, but I don't understand why this happens?

One thing to note about my session engine setting:

SESSION_ENGINE = 'django.contrib.sessions.backends.cached_db'

I don't know if this setting matters, but I should point it out.

Update: Ok, I turned on debug and here are more info:

Reason given for failure:

    CSRF cookie not set.

In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django's CSRF mechanism has not been used correctly. For POST forms, you need to ensure:

Your browser is accepting cookies.

I am pretty sure my browser accepts cookie. Because I can see the cookie value in my browser also I can see the cookie been set in the http header:

Set-Cookie:csrftoken=j2tSkjxUyeY90NZhUcMZ5GEdDKEa0wdW; expires=Fri, 12-May-2017 07:28:00 GMT; Max-Age=31449600; Path=/

The view function passes a request to the template's render method. In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.

Since I am using Django's own admin pages, I am sure there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.

Also, I can see when the post action happens, the csrf value is passed along:

csrfmiddlewaretoken=j2tSkjxUyeY90NZhUcMZ5GEdDKEa0wdW&username=cheng&password=&next=%2Fadmin%2F

I deleted the value for the password field for obvious reasons.

If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as well as those that accept the POST data.

Well, I have the CsrfViewMIddleWare in my settings.py file. Also, Django's own admin site knows how to handle csrf_token.

I have seen this error before and I solved it by clearing cookies. But for regular users who don't know about cookies, this can be a show stopper. I suspect that it has something to do with the cookie-engine setting.

Cheng
  • 16,824
  • 23
  • 74
  • 104
  • Possible duplicate of [Django CSRF cookie not set correctly](http://stackoverflow.com/questions/38302058/django-csrf-cookie-not-set-correctly) – Cheng Jul 19 '16 at 10:14
  • Or, if cookie verified to be set correctly, possible duplicate of: [Django CSRF failure after upgrade](https://stackoverflow.com/questions/44806375/django-csrf-failure-after-upgrade-1-9-1-11). I had similar behavior and "fixed" it by cache-busting existing CSRF cookies via [renaming the CSRF](https://docs.djangoproject.com/en/2.0/ref/settings/#csrf-cookie-name) and [session cookie names](https://docs.djangoproject.com/en/2.0/ref/settings/#session-cookie-name). The session cookie needed to be renamed to force users to login to start a new session. Clearing the session table wasn't enough. – guidos Jan 08 '18 at 20:54

1 Answers1

2

This issue might be due to the fact that your changes to the form i.e adding the {% crsf_token %} didn't come to effect. Refresh your FORM PAGE, and then provide the inputs again. Might just work fine.

Arghya Bhattacharya
  • 141
  • 1
  • 6