Opened 13 years ago
Closed 13 years ago
#18359 closed Bug (invalid)
CSRF dosen't work
Reported by: | Owned by: | nobody | |
---|---|---|---|
Component: | CSRF | Version: | 1.4 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
$ cat view.py
from django.shortcuts import render_to_response def test(request): if request.method == 'GET': return render_to_response('test.html') elif request.method == 'POST': return render_to_response('successful.html')
$ cat templates/test.html
<form action="." method="post">{% csrf_token %} <input type="submit" value="Submit" /> </form>
$ cat settings.py
MIDDLEWARE_CLASSES = ( 'django.middleware.common.CommonMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware',
after submit
Forbidden (403) CSRF verification failed. Request aborted. Help Reason given for failure: CSRF cookie not set. In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django's CSRF mechanism has not been used correctly. For POST forms, you need to ensure: Your browser is accepting cookies. The view function uses RequestContext for the template, instead of Context. In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL. If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as well as those that accept the POST data. You're seeing the help section of this page because you have DEBUG = True in your Django settings file. Change that to False, and only the initial error message will be displayed. You can customize this page using the CSRF_FAILURE_VIEW setting.
Note:
See TracTickets
for help on using tickets.
You should read https://docs.djangoproject.com/en/1.4/ref/contrib/csrf/#how-to-use-it thoroughly, though the error message states it clearly also:
You are not using RequestContext, so you don't have a proper csrf token in the context of your template. Without a proper token, the protection obviously fails.
I am marking this invalid.