Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Sporadic 403 "CSRF FAILURECSRF cookie not set" errors with django

Tags:

http-status-code-403

django

django-csrf

django-1.4

We have a small site that is just starting to be exposed to the outside world. For the most part it is working very well but we are occasionally getting 403 errors with the message "CSRF FAILURECSRF cookie not set" from one of the forms. The form definitely has the {% csrf_token %} included, and our middleware looks like this:

MIDDLEWARE_CLASSES = (
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
)

The form works fine for most people, but about once a day I get an e-mail with a failure case. The e-mail includes the actual request, which looks like this (I've removed the rest of the POST data to hide private data, but left the csrfmiddlewaretoken):

<WSGIRequest
path:/main/10/apply/,
GET:<QueryDict: {}>,
POST:<QueryDict: {u'csrfmiddlewaretoken': [u'IQQZvbVIggJm6Be6VinPHj8Qn3i3TdmG']}>,
COOKIES:{},
META:{'CONTENT_LENGTH': '111978',
 'CONTENT_TYPE': 'multipart/form-data; boundary=----WebKitFormBoundaryLyo9BPXnAwKnt8ew',
 'CSRF_COOKIE': 'XmSPWJZk2UwS4PNBXRmVlAaYDDdNaGqk',

The CSRF_COOKIE doesn't match the csrfmiddlewaretoken, which is what I'm assuming is causing the problem, but I can't figure out how these are out of sync for some submissions but not others. The page is a pretty simple form with only a few fields.

Any suggestions for where I should look? I'm running the latest Django 1.4.1 on CentOS using mod_wsgi via apache.

Edit: The only other thing that seems odd compared to the successful requests is that here the COOKIES:{} section is empty, which would lead me to suspect that perhaps they just have disabled cookies in their browser, but then why does it show up with the CSRF_COOKIE in the META section?

Thanks for your help!

Brandon

like image 319
brandon Avatar asked Nov 14 '22 00:11

brandon

1 Answers

Is HTTP_COOKIE also blank?

It could be the django doesn't see a CSRF token cookie in the request, and it is generating a new CSRF_COOKIE and putting it in meta.

like image 173
Collin Anderson Avatar answered Dec 21 '22 21:12

Collin Anderson
Sign in to Comment

Related questions

Textual search for ForeignKey field in Django Admin
How to get content of Django ImageField before it is saved?
Allowing users to use custom domains for Django app on Heroku
Django Test Client: How to remove http headers
Redirecting Django root to admin panel
Run django application on apache with uWSGI
Realtime push/pull with Django/Redis/Node.js
Have only one instance of a django model
invalidate django's settings cache without restarting the server?
Returning Django comments for a Tastypie resource
to perform addition operation on forloop.counter in django template
Most efficient way to retrieve user with userprofile in Django
Enable django's TEMPLATE_STRING_IF_INVALID on a single method
django: Generating sitemap for multilingual sites
Have loaddata ignore or disable post_save signals
Using related_name correctly in Django
The `.create()` method does not support writable nested fields by default.
Django django-extensions commands unavailable ( graph_models )
Django REST Framework: 'BasePermissionMetaclass' object is not iterable
Django cannot import login from django.contrib.auth.views

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!