Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

django admin login suddenly demanding csrf token

Tags:

django

I was logging into my django admin console easily a few minutes ago. I must have changed something somewhere that caused this error when logging in as superuser:

Forbidden (403) CSRF verification failed. Request aborted.

This error caught me off guard as I was logging in all night. Why would I suddenly need a csrf token for admin login? You would think the sign in form already has that. This is my admin.py:

from django.contrib import admin from accounts.models import Image, Category, UserProfile  class ImageAdmin(admin.ModelAdmin):     list_display    = ["__unicode__", "title", "created"]  admin.site.register(Image, GenericImageAdmin)  class CategoryAdmin(admin.ModelAdmin):     list_display    = ["category"]  admin.site.register(Category, CategoryAdmin)  admin.site.register(UserProfile)
like image 569
codyc4321 Avatar asked Apr 11 '15 01:04

codyc4321

People also ask

How do I ignore CSRF token in Django?

1. Using @csrf_exempt decorator. The is will import the @csrf_exempt decorator that allows you to easily disable CSRF validation for specific views. Just place @csrf_exempt decorator immediately above the view for which you do not want CSRF protection.

How does Django generate CSRF token?

It generates a token on the server-side when rendering the page and makes sure to cross-check this token for any requests coming back in. If the incoming requests do not contain the token, they are not executed. Django makes this process seamless with the addition of a simple tag to the form generated.

What is CSRF and how does Django protect against this attack?

CSRF protection works by checking for a secret in each POST request. This ensures that a malicious user cannot “replay” a form POST to your website and have another logged in user unwittingly submit that form. The malicious user would have to know the secret, which is user specific (using a cookie).

1 Answers

Admin login normally does require a csrf token, but that's normally all taken care for you.

  1. Check your browser's cookies to see if there is a csrf token present
  2. Try clearing cookies and refreshing
  3. Check to make sure you have django.middleware.csrf.CsrfViewMiddleware in your middleware
  4. Check that you're either on https or you have CSRF_COOKIE_SECURE=False (which is the default) in settings, otherwise your csrf cookie exists but won't be sent. Purge your cookies after changing CSRF_COOKIE_SECURE.
like image 128
ubadub Avatar answered Sep 23 '22 22:09

ubadub
Sign in to Comment

Related questions

In celery 3.1, making django periodic task
You are trying to add a non-nullable field 'id' to contact_info without a default
different fields for add and change pages in admin
How to check if a name/value pair exists when posting data?
Django rest framework permission_classes of ViewSet method
How to run gunicorn from a folder that is not the django project folder
Django template: check for empty query set
InvalidBasesError: Cannot resolve bases for [<ModelState: 'users.GroupProxy'>]
how to catch the MultipleObjectsReturned error in django
How does pgBouncer help to speed up Django
Django migrate : doesn't create tables
Django sort by distance
Displaying graphs/charts in Django [closed]
how to model a postal address
What are the steps to make a ModelForm work with a ManyToMany relationship with an intermediary model in Django?
Multiple copies of a pytest fixture
What's the best option to process credit card payments in Django? [closed]
Django Manager Chaining
Django-Registration & Django-Profile, using your own custom form
How to redirect on conditions with class based views in Django 1.3?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!