CSRF token missing or incorrect on one page

0
votes

Have a homepage there every page with a form works fine.
Added a form to my start page and in my local server it works fine.
But when I add it to the production server it does not work.
It say's that CSRF- token is missing or incorret.
But I have added the token, and it works all the other pages.

What is that I'm missing... ?

View 

  @login_required
    def start(request) :
        libs = Library.objects.all();
        header = Header('Start');
        studies = None;
        source = None;
        if request.method == 'POST' :
            if 'Show_studie' in request.POST:
                studies = Study.objects.all;
            if 'Show_source' in request.POST:
                source = Source.objects.all;
        dctArgs = {
            'library_list': libs,
            'styles_dir': conf.styles_path,
            'header': header.html,
            'studies_list':studies,
            'source_list':source,
            'images_dir': conf.images_path,
            };
        return render_to_response('start.html', dctArgs, RequestContext(request));

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML>
<HEAD>
<TITLE></TITLE>
<link rel="stylesheet" type="text/css" href="{{styles_dir}}/common.css" />
<link rel="stylesheet" type="text/css" href="{{styles_dir}}/header.css" />
<link rel="stylesheet" type="text/css" href="{{styles_dir}}/Headerstyles.css" />
</HEAD>
<BODY>
{{header|safe}}
<h1></h1>
<table id="doc_tbl" class="data" cellspacing=0>
<tr>
  <th>Name</th>
  <th>Documents</th>
  <th>Export</th>
</tr>
{% for library in library_list %}
    <tr>
    <td><a href="/library_overview/{{library.id}}/">{{library.name}}</a></td>
    <td>{{library.source_set.all|length}}</td>
    <td><a href="/library_export/{{library.id}}/format/TS/">Andra till Jesper Export</a></td>
    </tr>
{% endfor %}
</table>
<h3>Messages</h3>
{{messages}}
</br>
<form id="form1" name="form1" method="post" action="/start/" enctype="multipart/form-data">
{% csrf_token %}
<fieldset style="width:300px; margin-left:5px;">
<legend> Show all </legend>
<input type="checkbox" name="Show_studie" value="Show Studie"> Studie
<input type="checkbox" name="Show_source" value="Show Source"> Source
</br>
</br>
<input type="submit" value="Show All">
</fieldset>
{% if studies_list %}
<h3> Studies </h3>
<table class="table1">
<thead>
<tr>
  <th></th>
  <th scope="col1" >Name</th>
  <th scope="col1" >Added by</th>
</tr>
</thead>
{% for study in studies_list %}
<tbody>
<tr>
<td>
  <a href="/define_study/{{study.id}}/edit/"><img class="icon" src="{{images_dir}}/edit-icon.png"/></a>
  &nbsp;
  <img onclick="javascript:return confirmDelete_name('Are you sure? The study and any associated information will be deleted.', {{study.id}}, 'delete_study');" class="icon" src="{{images_dir}}/delete-icon.png"/>
</td>
<td><a href="/define_study/{{study.id}}/">{{study.name}}</a></td>
<td>{{study.metadata_added_by_user.first_name}}&nbsp;{{study.metadata_added_by_user.last_name}}</td>
</tr>
{% endfor %}
</table>
{% endif %}
{% if source_list %}
<h3> Source </h3>
<table class="table1">
<thead>
<tr>
  <th></th>
  <th scope="col1" >Name</th>
  <th scope="col1" >Added by</th>
</tr>
</thead>
{% for source in source_list %}
<tbody>
<tr>
<td>
  <a href="/define_study/{{study.id}}/edit/"><img class="icon" src="{{images_dir}}/edit-icon.png"/></a>
  &nbsp;
  <img onclick="javascript:return confirmDelete_name('Are you sure? The study and any associated information will be deleted.', {{study.id}}, 'delete_study');" class="icon" src="{{images_dir}}/delete-icon.png"/>
</td>
<td><a href="/define_study/{{study.id}}/">{{source.name}}</a></td>
<td>{{source.metadata_added_by_user.first_name}}&nbsp;{{source.metadata_added_by_user.last_name}}</td>
</tr>
{% endfor %}
{% endif %}
</tbody>
</table>
</form> 
</BODY>
</HTML>

Forbidden (403) CSRF verification failed. Request aborted. Help Reason given for failure: CSRF token missing or incorrect.

In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django's
CSRF mechanism has not been used correctly. For POST forms, you need to ensure:
• The view function uses RequestContext for the template, instead of Context.
• In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.
• If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views
that use the csrf_token template tag, as well as those that accept the POST data. You're seeing the help section of this page because you have DEBUG = True in your Django settings file. Change that to False, and only the initial error message will be displayed.
You can customize this page using the CSRF_FAILURE_VIEW setting.

Settings

MIDDLEWARE_CLASSES = (
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
)

On the page that working I get this message: 

<django.contrib.messages.storage.fallback.FallbackStorage object at 0x03B7A270>
2
djangopython-2.6
Show us some details! - Rohan
We cannot help you unless we see the code that you are using. So update the question with your views.py and your template that is causing the problem. - Burhan Khalid
CRSF token works with cookies and HTTP headers. Did you change of web browser ? Can we have some information about your server & browser cookie policies, and about how you added the CSRF token ? - Ricola3D
Did you add the CSRF middleware to your site? - Henrik Andersson
Ah, here it is: return render_to_response('start.html', dctArgs, RequestContext(request)); should be return render_to_response('start.html', dctArgs, context_instance=RequestContext(request)); - Henrik Andersson

2 Answers

1
votes

Try wrapping your view in the @requires_csrf_token decorator, like so:

from django.views.decorators.csrf import requires_csrf_token

@requires_csrf_token
@login_required
def start(request):
    ...
-1
votes

You can use the csrf_exempt decorator to disable CSRF protection for a particular view.

from django.views.decorators.csrf import csrf_exempt
@csrf_exempt
def someview():
    ......

I know Its not what you want but you can try this if you want :)