问题
I am following Django 1.3 Web Development. and for logins, i am getting the following error
Forbidden (403)
CSRF verification failed. Request aborted.
Help
Reason given for failure:
CSRF token missing or incorrect.
This is my settings.py Included APPS. It is exactly how the book says it should be.
INSTALLED_APPS = (
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.sites',
'django.contrib.messages',
'django.contrib.staticfiles',
# Uncomment the next line to enable the admin:
'django.contrib.admin',
# Uncomment the next line to enable admin documentation:
# 'django.contrib.admindocs',
'djangocricket.Cricket',
'djangocricket.cms'
)
The book says, it should contain, django.contrib.auth.views.login .. and i am including it in
urlpatterns = patterns('',
# Examples:
url(r'^$', 'djangocricket.Cricket.views.index', name='default'),
url(r'^user/(\w+)/$', 'djangocricket.Cricket.views.user_home', name='user home'),
url(r'^login/$', 'django.contrib.auth.views.login'),
# url(r'^djangocricket/', include('djangocricket.foo.urls')),
# Uncomment the admin/doc line below to enable admin documentation:
#url(r'^admin/doc/', include('django.contrib.admindocs.urls')),
# Uncomment the next line to enable the admin:
url(r'^news/', 'djangocricket.cms.views.index', name='index'),
#url(r'^news/(?P<slug>[^\.]+).html', 'djangocricket.cms.views.detail', name='get_single_news_item'),
url(r'^admin/', include(admin.site.urls)),
)
and my registration/login.html ... copy pasted from the book. it should do.
<html>
<head>
<title>Django Bookmarks - User Login</title>
</head>
<h1>User Login</h1>
{% if form.errors %}
<p>Your username and password didn't match.
Please try again.</p>
{% endif %}
<form method="post" action=".">
<p><label for="id_username">Username:</label>
{{ form.username }}</p>
<p><label for="id_password">Password:</label>
{{ form.password }}</p>
<input type="hidden" name="next" value="/" />
<input type="submit" value="login" />
</form>
</body>
</html>
what am i missing?
回答1:
You need to add the {% csrf_token %} template tag as a child of the form element in your Django template.
This way, the template will render a hidden element with the value set to the CSRF token. When the Django server receives the form request, Django will verify that the token matches the value that was rendered in the form. This is necessary to ensure that POST requests (i.e. data-altering requests) originate from an authentic client session.
For more info, check the Django documentation at: https://docs.djangoproject.com/en/dev/ref/csrf/
Here is an overview of the Cross-Site Request Forgery attack: https://www.owasp.org/index.php/CSRF
回答2:
If you use csrf_token template tag but not change anything, check CSRF_COOKIE_DOMAIN setting. You should set None to it on development environment.
回答3:
I had the same problem. I solved this problem when i added the {% csrf_token %}. Finally my code is this:
<form id='formulario2' method='post' action='>
<h3>Enter:</h3>
{% csrf_token %}
<input id="id_mesaje" name="mesaje" type="email" placeholder="E-mail"/>
<input type='submit' name="boton2" value='Suscribete' style="display:inline-block;background-color: #80e174; "/>
</form>
回答4:
Just wanted give additional info on the topic. If it ever happens to you and you are sure that the token is injected in the form and the view functions are handling everything properly but the problem persists. Make sure that there is no javascript code disabling the input fields. Happened to me, after couple of hours of debugging, finally realized that.
<input type="hidden" name="csrfmiddlewaretoken" value="pHK2CZzBB323BM2Nq7DE2sxnQoBG1jPl" disabled="">
回答5:
{% csrf_token %}
inside your form. This worked out for me. So why do we use the Cross-site requested forgery?
Well, the answer is pretty simple, it just added another security layer to your web page, whereby any malicious user cannot validate a request using a wrong token.
来源:https://stackoverflow.com/questions/9692625/csrf-verification-failed-request-aborted-on-django