stackoom
  简体   繁体   中英

Django - 403 Forbidden CSRF verification failed

 原文  2014-09-21 00:20:49       python/ django/ csrf/ django-csrf

Question

I have a contact form in Django for my website and when I was testing it locally it was working fine but now when I try to submit my contact form "live" it always comes up with 403 Forbidden CSRF verification failed.

view: 

def contact(request):
    if request.method == 'POST':
        form = ContactForm(request.POST)
        if form.is_valid():
            cd = form.cleaned_data
            send_mail(
                cd['subject'],
                cd['message'],
                cd.get('email', 'noreply@example.org'),
                ['example@gmail.com'],
            )
            return HttpResponseRedirect('/thanks/')
    else:
        form = ContactForm()
    return render(request, 'contact/contact.html', {'form': form})

contact.html 

{% extends 'site_base.html' %}

{% block head_title %}Contact{% endblock %}

{% block body %}

      <h2>Contact Us</h2>
      <p>To send us a message, fill out the below form.</p>

    {% if form.errors %}
        <p style="color: red;">
            Please correct the error{{ form.errors|pluralize }} below.
        </p>
    {% endif %}

    <form action="" method="POST">
    {% csrf_token %}
        <table>
            {{ form.as_table }}
        </table>
        <br />
        <button type="submit" value="Submit" class="btn btn-primary">Submit</button>
    </form>    

{% endblock %}

settings (the ones I thought would be relevant): 

SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
MIDDLEWARE_CLASSES = [
    "django.middleware.csrf.CsrfViewMiddleware",
    "django.middleware.common.CommonMiddleware",
    "django.contrib.sessions.middleware.SessionMiddleware",
    "django.contrib.auth.middleware.AuthenticationMiddleware",
    "django.contrib.messages.middleware.MessageMiddleware",
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

After trying to rule out some things, here's what I discovered. When I comment out SESSION_COOKIE_SECURE = TRUE and CSRF_COOKIE_SECURE = TRUE and SESSION_EXPIRE_AT_BROWSER_CLOSE = TRUE it works no problem.

If I just comment out CSRF_COOKIE_SECURE = TRUE it works fine. Something weird seems to be going on with how I'm handling CSRF... any help would be great.

1 answers

solution1
 7 ACCPTED  2014-09-21 06:05:59

Sounds to me like the site is not https if it works when you comment out that line? CSRF_COOKIE_SECURE=True makes the csrf token only work with ssl per the docs https://docs.djangoproject.com/en/1.7/ref/settings/#csrf-cookie-secure

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Forbidden (403) CSRF verification failed. Request aborted using django Forbidden (403) CSRF verification failed. Request aborted.in Django Forbidden (403) CSRF verification failed. Request aborted 2 in django 1.8.5 Forbidden (403) CSRF verification failed. Request aborted on Django 1.11 Forbidden (403) CSRF verification failed. Request aborted. Django Django 403 CSRF Verification Failed Python Django giving me Forbidden (403) CSRF verification failed. Request aborted Django admin login returns Forbidden 403 CSRF verification failed. Request aborted “Forbidden 403 - CSRF verification failed” when using .submit(function) in Django form Django: "Forbidden (403) CSRF verification failed. Request aborted." in Docker Production
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM