2

I've published my site with pythonanywhere, inside there is a simple login for users, I created an user and when I authenticate with my own computer it works, but when I authenticate with another machine I get this error :

Forbidden (403) - CSRF verification failed. Request aborted.

My site is published on a domain name and everything else works just fine. What can be the problem ?

Everything was set up correctly, with the correct middleware, context, csrf protections since I can login with my own computer.

Update with code :

MIDDLEWARE_CLASSES = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

login.py

def login(request):
    context = {}
    if request.method == "POST":
        username = request.POST['username']
        password = request.POST['password']
        user = authenticate(username=username, password=password)
        if user is not None:
            if user.is_active:
                auth_login(request, user)
                return redirect('login')
            else:
                context['error'] = 'L\'utilisateur a été désactivé'
        else:
            context['error'] = 'Mauvais nom d\'utilisateur ou mot de passe'

    return render(request, 'user.html', context)

user.html

<form method="post" action="{% url 'login' %}">
    {% csrf_token %}
    <p>Nom :<input type="text" class="form-control" name="username"></p>
    <p>Mot de passe:<input type="password" class="form-control" name="password"></p>
    <input class="submit btn btn-success pull-right" value="Se connecter" type="submit">
</form>
Horai Nuri
  • 5,358
  • 16
  • 75
  • 127
  • Possible duplicate of [Forbidden (403) CSRF verification failed. Request aborted. Even using the {% csrf\_token %}](http://stackoverflow.com/questions/20895526/forbidden-403-csrf-verification-failed-request-aborted-even-using-the-csr) – Ari Gold Feb 28 '17 at 16:47
  • @AriGold No it's not, everything is set up correctly, otherwise it'd show me the error on developement mode and my own computer. – Horai Nuri Feb 28 '17 at 16:51
  • 1
    If everything is set up correctly there seems to be a problem with that other PC... Do you have another PC to test with? – Jingo Feb 28 '17 at 16:56
  • @Jingo I've tested it with 3 PCs already I will edit my code to show how my login code is protected – Horai Nuri Feb 28 '17 at 16:58
  • @Jingo Check out the update – Horai Nuri Feb 28 '17 at 17:03
  • 1
    what I can say at least is that it should be `return redirect('login')` – Jingo Feb 28 '17 at 17:11
  • @Jingo sorry I made a typo it is already return redirect(reverse('login')) – Horai Nuri Feb 28 '17 at 17:26
  • 2
    Have you inspected your HTML to see what the `{% csrf_token %}` rendered? Does the hidden field contain a key or an error message? – Soviut Feb 28 '17 at 17:32

1 Answers1

0

I resolved my issue by using the built in login with Django by following this tutorial :

I didn't find the reason why my csrf checking wasn't working since there was no error on the console and the token was showing just fine using {{ csrf_token }}.

Horai Nuri
  • 5,358
  • 16
  • 75
  • 127