Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Intermittent 403s due to CSRF failure (Django 1.2.3)

Tags:

http-status-code-403

proxy

django

csrf

intermittent

I've got a slightly crazy/infuriating bug with a site and CSRF.

We're running Django 1.2.3, Python 2.6 on Ubuntu with Apache2 + mod_wsgi and have been getting end users reporting 403 CRSF verification failures and 403s as a result.

All our forms have a csrf_token and - as far as I am aware - things work fine in local dev and on stage (we're not in production yet)... apart from for one office (the client's, natch). On random occasions, they'll get such a 403, but then refresh and it'll go away (so it's not the HTML lacking a token etc)

I'm pondering causes and solutions, and it may be that that office has a fiendishly over-eager or poorly set-up proxy cache, or similar, and would appreciate some tips on what we can do, in a Django/Apache way to deal with over-the-top proxies (the client's office likely won't change their setup) or what else might be up to cause these CSRF fails.

BTW: this was a 1.2.3 project from scratch, not some kind of 1.1 upgrade, and we use just the single standard/correct 1.2.3 CSRFMiddleware and manually added csrf_tokens - not the CSRFResponseMiddleware to automatically include the csrf_token

Also: this has happened on two separate servers (dev server and staging server), which are hosted in separate locations. Common factors are (in theory) same Django/Apache/mod_wsgi setup, the same codebase and the same office getting the 403s (and not being able to replicate the 403s in our own location).

like image 714
Steve Jalim Avatar asked Nov 06 '22 07:11

Steve Jalim

1 Answers

just an update in case it helps anyone.

We dropped the CRSF protection to test (by using http://johnmc.co/llum/disable-csrf-protection-for-django-1-2/). This cleared up the 403s, but then we had intermittent 500s for zero-length POST data from the same client/local network, which explained that the CSRF fails were because the token was present in the session but not in the payload (rather than the other way around).

So, it wasn't a CSRF issue, specifically, but a POST-payload-getting-zapped-somewhere issue. (Most likely by a misconfigured proxy at just one location)

HTH

Steve

like image 65
Steve Jalim Avatar answered Nov 09 '22 04:11

Steve Jalim
Sign in to Comment

Related questions

How do you add OpenId session data to a Django test client POST?
Better way to represent Many to many relationship in django admin
Using a Non-Default Manager with GenericForeignKey()
How To Collapse Just One Field in Django Admin?
Do Django Models inherit managers? (Mine seem not to)
Syncing data between devel/live databases in Django
django: failing tests from django.contrib.auth
Social Game Mechanics in Django
Detecting permission errors in django tests
Create Django formset without multiple queries
Django syncdb not making tables for my app
How to bind events with jQuery in django admin when new *Inline is added
Django: Sum on an date attribute grouped by month/year
Is all I need the "identity url"? - OpenID
Implementing a per-model table modification time in Django?
How to change multiple select field to multiple input fields for a many-to-many case?
My apps not visible when using custom AdminSite
Select a Valid Choice. 0 is not one of the available choices
Django admin: Change selected box of related fields to autocomplete
How to make Django work with unsupported MySQL drivers such as gevent-mysql or Concurrence's MySQL driver?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!