Code

Opened 2 years ago

Closed 2 years ago

#18359 closed Bug (invalid)

CSRF dosen't work

Reported by: jollychang@… Owned by: nobody
Component: contrib.csrf Version: 1.4
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

$ cat view.py

from django.shortcuts import render_to_response

def test(request):
    if request.method == 'GET':
        return render_to_response('test.html')
    elif request.method == 'POST': 
        return render_to_response('successful.html')

$ cat templates/test.html

<form action="." method="post">{% csrf_token %}
<input type="submit" value="Submit" />
</form>

$ cat settings.py

MIDDLEWARE_CLASSES = (
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',

after submit

Forbidden (403)
CSRF verification failed. Request aborted.
Help
Reason given for failure:
    CSRF cookie not set.
    
In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django's CSRF mechanism has not been used correctly. For POST forms, you need to ensure:
Your browser is accepting cookies.
The view function uses RequestContext for the template, instead of Context.
In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.
If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as well as those that accept the POST data.
You're seeing the help section of this page because you have DEBUG = True in your Django settings file. Change that to False, and only the initial error message will be displayed.
You can customize this page using the CSRF_FAILURE_VIEW setting.

Attachments (0)

Change History (1)

comment:1 Changed 2 years ago by koenb

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to invalid
  • Status changed from new to closed

You should read https://docs.djangoproject.com/en/1.4/ref/contrib/csrf/#how-to-use-it thoroughly, though the error message states it clearly also:

You are not using RequestContext, so you don't have a proper csrf token in the context of your template. Without a proper token, the protection obviously fails.

I am marking this invalid.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.