id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 28143 CSRF token fails when Debug is disabled and a custom view is used for handler404 antigaprime nobody "I have set a custom 404 view, which uses the render function and passes context variables to the view: {{{ def page_not_found(request, **kwargs): lang = request.session['lang'] content_dict = get_all_db_content(lang, '{0}|{1}'.format('all', 'not-found')) variables = { 'content_text': content_dict, 'page_lang': ""not-found-{0}"".format(lang), 'page': 'not-found', 'page_description': get_field_db_content(lang, 'page_description_not_found'), 'page_title': get_field_db_content(lang, 'page_title_not_found'), } return render(request, '404.html', variables, status=404) }}} In `urls.py` I have the following: {{{ # Project libs import mainsite.views as tn_views handler404 = tn_views.page_not_found }}} When `DEBUG` is set to `False`, custom 404 templates are used, and in turn, this makes the csrf token validation for the Django Admin panel to be rejected, with a `403` error: `CSRF verification failed. Request aborted.`. Sometimes, I can go back, refresh the page, and attempt a new login, which will work, other times it will not. Removing the custom 404 view from `urls.py`, or setting `DEBUG` to `True` (obviously), fixes the Django admin failed csrf error. Another interesting thing is that during some tests, using `CSRF_USE_SESSIONS = True` and `CSRF_COOKIE_AGE = None` instead of cookies would fix the Django admin csrf error, but would break all csrf validations from the site's frontend. ---- Additional (relevant?) info: Using Redis as a session cache. Additional settings: {{{ ALLOWED_HOSTS = [ '.mysite.com', '.mysite.info', ] if DEBUG: ALLOWED_HOSTS.extend(['.mysite.dev']) MIDDLEWARE = [ 'django.middleware.cache.UpdateCacheMiddleware', 'django.middleware.security.SecurityMiddleware', 'django.middleware.gzip.GZipMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.locale.LocaleMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', 'django.middleware.cache.FetchFromCacheMiddleware', 'mainsite.middleware.Guid', 'mainsite.middleware.SiteLang', ] TEMPLATES = [ { 'BACKEND': 'django.template.backends.django.DjangoTemplates', 'DIRS': [ os.path.join(BASE_DIR, '_templates'), ], 'APP_DIRS': True, 'OPTIONS': { 'context_processors': [ 'django.template.context_processors.debug', 'django.template.context_processors.request', 'django.contrib.auth.context_processors.auth', 'django.contrib.messages.context_processors.messages', 'mainsite.context.site_variables', 'mainsite.context.sitelang', ], }, }, ] }}} " Bug closed CSRF 1.11 Normal duplicate Unreviewed 0 0 0 0 0 0