Django CSRF verification failed even when csrf token is included

4
votes

I understand that this error occurs when the csrf token isn't include in the form when submitting, but this is not the case this time.

I am trying to login to the admin site. The admin login form has csrf token included, and I can see the value of that csrf token matches the csrf cookie's value. Also, when I submit, I can see that the same csrf token is posted to the server.

But still, I get the CSRF verification failed message. I am sure if I clear the cookies it will work, but I don't understand why this happens?

One thing to note about my session engine setting:

SESSION_ENGINE = 'django.contrib.sessions.backends.cached_db'

I don't know if this setting matters, but I should point it out.

Update: Ok, I turned on debug and here are more info:

Reason given for failure:

    CSRF cookie not set.

In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django's CSRF mechanism has not been used correctly. For POST forms, you need to ensure:

Your browser is accepting cookies.

I am pretty sure my browser accepts cookie. Because I can see the cookie value in my browser also I can see the cookie been set in the http header:

Set-Cookie:csrftoken=j2tSkjxUyeY90NZhUcMZ5GEdDKEa0wdW; expires=Fri, 12-May-2017 07:28:00 GMT; Max-Age=31449600; Path=/

The view function passes a request to the template's render method. In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.

Since I am using Django's own admin pages, I am sure there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.

Also, I can see when the post action happens, the csrf value is passed along:

csrfmiddlewaretoken=j2tSkjxUyeY90NZhUcMZ5GEdDKEa0wdW&username=cheng&password=&next=%2Fadmin%2F

I deleted the value for the password field for obvious reasons.

If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as well as those that accept the POST data.

Well, I have the CsrfViewMIddleWare in my settings.py file. Also, Django's own admin site knows how to handle csrf_token.

I have seen this error before and I solved it by clearing cookies. But for regular users who don't know about cookies, this can be a show stopper. I suspect that it has something to do with the cookie-engine setting.

1
django
Possible duplicate of Django CSRF cookie not set correctlyCheng
Or, if cookie verified to be set correctly, possible duplicate of: Django CSRF failure after upgrade. I had similar behavior and "fixed" it by cache-busting existing CSRF cookies via renaming the CSRF and session cookie names. The session cookie needed to be renamed to force users to login to start a new session. Clearing the session table wasn't enough.guidos

1 Answers

1
votes

This issue might be due to the fact that your changes to the form i.e adding the {% crsf_token %} didn't come to effect. Refresh your FORM PAGE, and then provide the inputs again. Might just work fine.