禁止(403)CSRF验证失败。 请求中止。 即使使用{%csrf_token%}
[英]Forbidden (403) CSRF verification failed. Request aborted. Even using the {% csrf_token %}
问题描述
i am trying to do a login in django but i get this error, i check the CSRF documentation and nothing works for me. 
我正在尝试在django中进行登录,但出现此错误,我检查了CSRF文档,但对我来说没有任何用处。
Here is the HTML: 这是HTML:
<body>
<section class="container">
<div class="login">
<h1>Login to Web App</h1>
{% if form.errors %}
<p class="error">Lo sentimos, la combinacion de usuario y contrasena no es correcta!</p>
{% endif %}
<form action="/accounts/auth/" method="post">
{% csrf_token %}
<input type='hidden' name='csrfmiddlewaretoken' value='randomchars'/>
<p><input name="username" type="text" name="login" value="" placeholder="Username"></p>
<p><input name="password" type="password" name="password" value="" placeholder="Password"></p>
<p class="submit"><input type="submit" name="commit" value="Login"></p>
</form>
</div>
</body>
Like you see above i use the {% csrf_token %} and i have 'django.middleware.csrf.CsrfViewMiddleware' in my installed apps. 就像您在上面看到的那样,我使用了{%csrf_token%},并且在已安装的应用程序中有“ django.middleware.csrf.CsrfViewMiddleware”。
And my views are: 我的看法是:
from django.http import HttpResponse,HttpResponseRedirect
from django.template.loader import get_template
from django.template import Context
from datetime import datetime
from django.shortcuts import render_to_response
from django.http import HttpResponseRedirect
from django.contrib import auth
from django.core.context_processors import csrf
from models import *
from django.shortcuts import get_object_or_404
from forms import *
from django.template.context import RequestContext
from django.contrib.auth.decorators import login_required
from django.contrib.auth import authenticate, login
def login(request):
c = {}
c.update(csrf(request))
return render_to_response('login.html', c)
def auth_view(request):
username = request.POST['username']
password = request.POST['password']
user = authenticate(username=username, password=password)
if user is not None:
auth.login(request.user)
return HttpResponse('/accounts/loggedin')
else:
return HttpResponse('/accounts/invalid')
i redirect to an other HTML file where i dont use the {% csrf_token %}. 我重定向到另一个我不使用{%csrf_token%}的HTML文件。
3 个解决方案
解决方案1
22 2014-01-03 02:32:36
Theory 理论
A couple of things are required to make the csrf protection work (check out the docs ): 要使csrf保护起作用,需要做一些事情(请参阅docs ):
- Your browser has to accept cookies from your server 您的浏览器必须接受服务器中的Cookie
- Make sure you have '
django.middleware.csrf.CsrfViewMiddleware'included as middleware in yoursettings.py(alternatively use the decorator csrf_protect() on particular views you want to protect)确保您的settings.py已将“django.middleware.csrf.CsrfViewMiddleware'作为中间件包括在内(或者在要保护的特定视图上使用装饰器csrf_protect()) - Make sure you pass on the csrf token from
django.core.context_processors.csrfto the context manager.确保将csrf令牌从django.core.context_processors.csrf传递到上下文管理器。
When you load your page, have a look in the page source using your favorite browser. 加载页面时,请使用喜欢的浏览器查看页面源。 Don't open the template html file, open the url which point to the view containing the form. 不要打开模板html文件,请打开指向包含表单的视图的URL。 Look at where you placed the {% csrf_token %} . 查看放置{% csrf_token %} 。 If you see something like 如果您看到类似
<input type='hidden' name='csrfmiddlewaretoken' value="jdwjwjefjwdjqwølksqøwkop2j3ofje" />
you should be ok. 你应该没事的。
If you on the other hand see NOTPROVIDED , something has gone wrong while creating the csrf token. 另一方面,如果您看到NOTPROVIDED ,则在创建csrf令牌时出现了问题。 By looking in the source code ( context_processors.py and csrf.py ), we can find out what: 通过查看源代码( context_processors.py和csrf.py ),我们可以找到以下内容:
-
csrf(request)returns{'csrf_token': 'NOTPROVIDED'}ifget_token(request)returns None.如果get_token(request)返回None,则csrf(request)返回{'csrf_token': 'NOTPROVIDED'}。 -
get_token(request)returnsrequest.META.get("CSRF_COOKIE", None).get_token(request)返回request.META.get("CSRF_COOKIE", None)。
I assume this means that it would return None if the cookie isn't successfully created. 我认为这意味着如果未成功创建cookie,它将返回None 。
Fix 固定
For you, this means that you should first replace 对您来说,这意味着您应该先更换
<form action="/accounts/auth/" method="post" {% csrf_token %}>
with 与
<form action="/accounts/auth/" method="post">
{% csrf_token %}
(...)
</form>
We'd like the csrf field to be inside <form>...</form> , not inside <form> . 我们希望csrf字段位于<form>...</form> 内部 ,而不是<form> 内部 。 As the code is at the moment, it will be converted to 由于目前的代码是,它将被转换为
<form action="/accounts/auth/" method="post" <input type='hidden' name='csrfmiddlewaretoken' value='randomchars' />>
and we would rather like 我们希望
<form action="/accounts/auth/" method="post">
<input type='hidden' name='csrfmiddlewaretoken' value='randomchars' />
After that - have a look at the source code, and see if you can find the csrf field. 之后-查看源代码,看看是否可以找到csrf字段。 If you can see it, everything should work in theory. 如果您能看到它,那么一切都应该在理论上起作用。
You can also check that the csrf cookie has been set in your browser, eg in Chrome, right-click the web page, and select Insepect Element . 您还可以检查浏览器(例如Chrome)中是否设置了csrf cookie,右键单击网页,然后选择Insepect Element 。 Select the Resources tab, and click on cookies. 选择Resources选项卡,然后单击cookie。 You should find a cookie name csrftoken there. 您应该在那里找到一个cookie名称csrftoken 。
If you still have problems, double-check the middleware tuple in your settings.py and double-check that your browser accept cookier from your server as described above. 如果您仍然有问题,仔细检查你的中间件元组settings.py并仔细检查您的浏览器如上所述从服务器接受cookier。
解决方案2
2 2017-09-24 11:11:03
Clear your browser cache and try again. 清除浏览器缓存,然后重试。 Maybe it is using the CSRF token saved in cached cookie. 也许它使用保存在缓存cookie中的CSRF令牌。
解决方案3
-2 2014-01-03 06:14:04
With Addition of above answer, Try Adding following lines in the views 通过上述答案的补充,尝试在视图中添加以下行
from django.views.decorators.csrf import csrf_exempt
@csrf_exempt
def somathing():
return something
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.