Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

CSRF verification failed. Request aborted. on django

I am following Django 1.3 Web Development. and for logins, i am getting the following error

Forbidden (403) CSRF verification failed. Request aborted. Help Reason given for failure:     CSRF token missing or incorrect. 

This is my settings.py Included APPS. It is exactly how the book says it should be.

INSTALLED_APPS = (     'django.contrib.auth',     'django.contrib.contenttypes',     'django.contrib.sessions',     'django.contrib.sites',     'django.contrib.messages',     'django.contrib.staticfiles',     # Uncomment the next line to enable the admin:     'django.contrib.admin',     # Uncomment the next line to enable admin documentation:     # 'django.contrib.admindocs',     'djangocricket.Cricket',     'djangocricket.cms' ) 

The book says, it should contain, django.contrib.auth.views.login .. and i am including it in

urlpatterns = patterns('',     # Examples:     url(r'^$', 'djangocricket.Cricket.views.index', name='default'),     url(r'^user/(\w+)/$', 'djangocricket.Cricket.views.user_home', name='user home'),     url(r'^login/$', 'django.contrib.auth.views.login'),     # url(r'^djangocricket/', include('djangocricket.foo.urls')),      # Uncomment the admin/doc line below to enable admin documentation:     #url(r'^admin/doc/', include('django.contrib.admindocs.urls')),      # Uncomment the next line to enable the admin:     url(r'^news/', 'djangocricket.cms.views.index', name='index'),     #url(r'^news/(?P<slug>[^\.]+).html', 'djangocricket.cms.views.detail', name='get_single_news_item'),     url(r'^admin/', include(admin.site.urls)), ) 

and my registration/login.html ... copy pasted from the book. it should do.

<html> <head>     <title>Django Bookmarks - User Login</title> </head> <h1>User Login</h1> {% if form.errors %}     <p>Your username and password didn't match.         Please try again.</p> {% endif %} <form method="post" action=".">     <p><label for="id_username">Username:</label>         {{ form.username }}</p>     <p><label for="id_password">Password:</label>         {{ form.password }}</p>     <input type="hidden" name="next" value="/" />     <input type="submit" value="login" /> </form> </body> </html> 

what am i missing?

like image 715
Yousuf Jawwad Avatar asked Mar 13 '12 21:03

Yousuf Jawwad


People also ask

What does CSRF verification failed request aborted mean?

Forbidden (403) CSRF verification failed. Request aborted. You are seeing this message because this site requires a CSRF cookie when submitting forms. This cookie is required for security reasons, to ensure that your browser is not being hijacked by third parties.

What is CSRF token in Django?

The CSRF token is like an alphanumeric code or random secret value that's peculiar to that particular site. Hence, no other site has the same code. In Django, the token is set by CsrfViewMiddleware in the settings.py file. A hidden form field with a csrfmiddlewaretoken field is present in all outgoing requests.

What is CSRF token missing or incorrect?

The “Invalid or missing CSRF token” message means that your browser couldn't create a secure cookie, or couldn't access that cookie to authorize your login. This can be caused by ad- or script-blocking plugins, but also by the browser itself if it's not allowed to set cookies.


2 Answers

You need to add the {% csrf_token %} template tag as a child of the form element in your Django template.

This way, the template will render a hidden element with the value set to the CSRF token. When the Django server receives the form request, Django will verify that the token matches the value that was rendered in the form. This is necessary to ensure that POST requests (i.e. data-altering requests) originate from an authentic client session.

For more info, check the Django documentation at: https://docs.djangoproject.com/en/dev/ref/csrf/

Here is an overview of the Cross-Site Request Forgery attack: https://www.owasp.org/index.php/CSRF

like image 168
fcurella Avatar answered Sep 18 '22 05:09

fcurella


If you are using csrf_token template tag and the problem not solved, check CSRF_COOKIE_DOMAIN setting. You should set it to None on development environment.

like image 44
Mesut Tasci Avatar answered Sep 19 '22 05:09

Mesut Tasci