Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Sporadic 403 "CSRF FAILURECSRF cookie not set" errors with django

We have a small site that is just starting to be exposed to the outside world. For the most part it is working very well but we are occasionally getting 403 errors with the message "CSRF FAILURECSRF cookie not set" from one of the forms. The form definitely has the {% csrf_token %} included, and our middleware looks like this:

MIDDLEWARE_CLASSES = (
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
)

The form works fine for most people, but about once a day I get an e-mail with a failure case. The e-mail includes the actual request, which looks like this (I've removed the rest of the POST data to hide private data, but left the csrfmiddlewaretoken):

<WSGIRequest
path:/main/10/apply/,
GET:<QueryDict: {}>,
POST:<QueryDict: {u'csrfmiddlewaretoken': [u'IQQZvbVIggJm6Be6VinPHj8Qn3i3TdmG']}>,
COOKIES:{},
META:{'CONTENT_LENGTH': '111978',
 'CONTENT_TYPE': 'multipart/form-data; boundary=----WebKitFormBoundaryLyo9BPXnAwKnt8ew',
 'CSRF_COOKIE': 'XmSPWJZk2UwS4PNBXRmVlAaYDDdNaGqk',

The CSRF_COOKIE doesn't match the csrfmiddlewaretoken, which is what I'm assuming is causing the problem, but I can't figure out how these are out of sync for some submissions but not others. The page is a pretty simple form with only a few fields.

Any suggestions for where I should look? I'm running the latest Django 1.4.1 on CentOS using mod_wsgi via apache.

Edit: The only other thing that seems odd compared to the successful requests is that here the COOKIES:{} section is empty, which would lead me to suspect that perhaps they just have disabled cookies in their browser, but then why does it show up with the CSRF_COOKIE in the META section?

Thanks for your help!

Brandon

like image 319
brandon Avatar asked Nov 14 '22 00:11

brandon


1 Answers

Is HTTP_COOKIE also blank?

It could be the django doesn't see a CSRF token cookie in the request, and it is generating a new CSRF_COOKIE and putting it in meta.

like image 173
Collin Anderson Avatar answered Dec 21 '22 21:12

Collin Anderson