django admin login suddenly demanding csrf token

27
votes

I was logging into my django admin console easily a few minutes ago. I must have changed something somewhere that caused this error when logging in as superuser:

Forbidden (403) CSRF verification failed. Request aborted.

This error caught me off guard as I was logging in all night. Why would I suddenly need a csrf token for admin login? You would think the sign in form already has that. This is my admin.py:

from django.contrib import admin
from accounts.models import Image, Category, UserProfile

class ImageAdmin(admin.ModelAdmin):
    list_display    = ["__unicode__", "title", "created"]

admin.site.register(Image, GenericImageAdmin)

class CategoryAdmin(admin.ModelAdmin):
    list_display    = ["category"]

admin.site.register(Category, CategoryAdmin)

admin.site.register(UserProfile)
9
django
I cleared the database w flush, and now my app is working and I can make new users and whatnot. But I cannot use the admin. If I do "createsuperuser" I get an admin user and it complains that user does not have a userprofile. This is true, making a superuser doesn't make userprofile- userprofile is made when I make a new fake user in my registration pagecodyc4321
from django.db import models from django.contrib.auth.models import User class UserProfile(models.Model): user = models.OneToOneField(User) blurb = models.CharField(max_length=800, default='') def __unicode__(self): return self.user.usernamecodyc4321
it wont let me make it look like codecodyc4321
My apologies for the snark. I didn't expect the question asker to be adding code in comments (edit your question instead). For future reference, surrounding with backticks (`) indicates code in-line (both in comments and posts)Basic
@Basic you're fine, I'm complete SO noob. Any snark was deserved hahacodyc4321

9 Answers

30
votes

Admin login normally does require a csrf token, but that's normally all taken care for you.

  1. Check your browser's cookies to see if there is a csrf token present
  2. Try clearing cookies and refreshing
  3. Check to make sure you have django.middleware.csrf.CsrfViewMiddleware in your middleware
  4. Check that you're either on https or you have CSRF_COOKIE_SECURE=False (which is the default) in settings, otherwise your csrf cookie exists but won't be sent. Purge your cookies after changing CSRF_COOKIE_SECURE.
3
votes

Add a csrf token to your context in the login view and in your template add in the hidden div for the csrf token. Ensure you have django.middleware.csrf.CsrfViewMiddleware in the middleware section in your settings.py.

Then add @csrf_protect to your views to do with login. It is also possible you tried to login with incorrect credentials - you need @csrf_protect on the logout view in your app's views.py you call on the appropriate uri for login/logout etc. in urls.py also. My logout simply calls logout(request) then calls HttpResponseRedirect('') which is probably not perfect but it does me for my needs for now.

3
votes

This error was appearing for me when I had not set CSRF_COOKIE_DOMAIN in my settings_local but it was set in my main settings.py.

In my case I set it to the local host eg

CSRF_COOKIE_DOMAIN = '127.0.0.1'
2
votes

As a security measure, I had CSRF_COOKIE_SECURE = True in my settings. Trying to log into admin via localhost where there isn't HTTPS threw the forbidden error.

Set it to False to get it working on localhost

1
votes

This could also happen when you are already logged in into your website hosted on a url different than admin. And then try to login into your admin panel in a new tab. Try to open the admin panel in a different window.

0
votes

I used to have the same problem every time when I was using my default environment, and then using a virtual environment worked for me. It works every time. If you don't know how to create a virtual environment, here's how you do it:

  1. Just create a virtual environment in your project's directory by running the command virtualenv theNameYouWannaGiveYourEnvironment.
  2. Then activate your virtual environment by using theNameYouWannaGiveYourEnvironment/bin/activate(on Linux, I think it works for Mac Os too, but it's different for Windows).
  3. After that, just install Django by pip install django and all the other requirements for your application to run.

Alternatively, you can also use Anaconda to create your virtual environment and install all your requirements. Just refer to this documentation if you wanna use anaconda: https://docs.conda.io/projects/conda/en/latest/user-guide/tasks/manage-environments.html

0
votes

Try opening your site in incognito mode.

There is a good chance that it could be your browser cookie, the above test will iron out that possibility.

0
votes

If you're on Production, make sure that your URL is configured inside ALLOWED_HOST on settings.py

0
votes

In my case it was solved by changing the setting:

SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

to

SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'http')