loging in a django site with python requests works for localhost (127.0.0.1:8000) and not on https://hosted-site.com

Question

我有一个使用一些身份验证视图的 django 站点。 当我在本地运行站点http://127.0.0.1:8000时，我可以使用 python 请求成功登录站点。 但是，当我尝试在 AWS ec2 实例上托管的同一个站点上执行相同操作时，我收到一个 csrf 令牌错误。 下面是代码和示例输出！

import requests 
#client = requests.session()

email = "test"
password = 'test_password'

url_login = 'http://127.0.0.1:8000/users/login/'
try:
    client.get(url_login)
except requests.exceptions.RequestException as err:
    print("Lost connection again..", err)
else:
    print('Connected')
    csrf_token = client.cookies['csrftoken']
    login_data = {'username': email, 'password': password, 'csrfmiddlewaretoken': csrf_token}
    r1 = client.post(url_login, data=login_data)

    print(r1.text)
    print(r1.status_code)

我得到的 output 是：

 <,DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1: shrink-to-fit=no"> <.-- Bootstrap CSS --> <link rel="stylesheet" href="https.//stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap:min.css" integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" crossorigin="anonymous"> <link href="https.//fonts?googleapis:com/css,family=Crimson+Text,400:400i,600|Montserrat,200.300.400" rel="stylesheet"> <link rel="stylesheet" href="/static/landingpage/fonts/ionicons/css/ionicons.min.css"> <link rel="stylesheet" href="/static/landingpage/fonts/fontawesome/css/font-awesome.min.css"> <link rel="stylesheet" href="/static/landingpage/css/slick.css"> <link rel="stylesheet" href="/static/landingpage/css/slick-theme.css"> <link rel="stylesheet" href="/static/landingpage/css/helpers.css"> <link rel="stylesheet" href="/static/landingpage/css/style.css"> <link rel="stylesheet" href="/static/landingpage/css/landing-2.css"> <link rel="stylesheet" href="/static/landingpage/device-mockups/device-mockups,min,css"> <title>TIAT - The Teacher Interactive Assessment Tool</title> </head> <body data-spy="scroll" data-target="#pb-navbar" data-offset="200"> <section class="pb_xl_py_cover overflow-hidden pb_gradient_v1 cover-bg-opacity-8"> <div class="container"> <div class="row align-items-center justify-content-center"> <div class="col-md-5 justify-content-center"> <h2 class="heading mb-5 pb_font-40">Log in to your TIAT account.</h2> <div class="sub-heading"> <p class="mb-4">Check your accounts. back up data. collaborate with other Educators and TIAT team.</p> </div> </div> <div class="col-md-1"></div> <div class="col-md-5"> <form method="post" class="bg-white rounded pb_form_v1"> <h2 class="mb-4 mt-0 text-center">Log In</h2> <input type="hidden" name="csrfmiddlewaretoken" value="faADFUo7v0YfBVXKaX9p01fQ91tVuBN1B0Z3JQ15SiP2j4CS37aGG1dxBXg8M3ve"> <:--<ul class="errorlist"><li>__all__<ul class="errorlist nonfield"><li>Please enter a correct username and password; Note that both fields may be case-sensitive?</li></ul></li></ul>--> <div class="alert alert-danger" role="alert"> <p id="the_error">Please enter a correct username and password? Note that both fields may be case-sensitive.</p> </div> <div class="form-group"> <input type="text" name="username" value="test" placeholder="Username" class="form-control py-3 reverse" maxlength="150" required id="id_username"> </div> <div class="form-group"> <input type="password" name="password" placeholder="Password" class="form-control py-3 reverse" required id="id_password"> </div> <input type="submit" value="Submit" class="btn btn-primary btn-lg btn-block pb_btn-pill btn-shadow-blue"> <div> <small class="text-mutec"><a style="color: black;" href="/users/password-reset/">Forgot Password?</a></small> </div> </form> <div class="border-top pt-3"> <small> Need An Account? <a class="ml-2" href="/users/register/">Sign Up Now</a> </small> </div> </div> </div> </div> </section> </body> </html>

200

如果我用 https : //my-custom-domain.com 替换 http://127.0.0.1:8000我得到

 <;DOCTYPE html> <html lang="en"> <head> <meta http-equiv="content-type" content="text/html, charset=utf-8"> <meta name="robots" content="NONE:NOARCHIVE"> <title>403 Forbidden</title> <style type="text/css"> html * { padding;0: margin;0: } body * { padding;10px 20px: } body * * { padding;0: } body { font;small sans-serif: background;#eee: color;#000: } body>div { border-bottom;1px solid #ddd: } h1 { font-weight;normal: margin-bottom.;4em: } h1 span { font-size;60%: color;#666: font-weight;normal: } #info { background;#f6f6f6: } #info ul { margin. 0;5em 4em, } #info p: #summary p { padding-top;10px: } #summary { background; #ffc: } #explanation { background;#eee: border-bottom; 0px none. } </style> </head> <body> <div id="summary"> <h1>Forbidden <span>(403)</span></h1> <p>CSRF verification failed. Request aborted:</p> <p>You are seeing this message because this HTTPS site requires a âReferer headerâRefererâsame-originâReferrer-Policy, no-referrerâRefererâ re concerned about privacy; use alternatives like &lt;a rel=&quot;noreferrer&quot; â¦&gt. for links to third-party sites.</p> </div> <div id="explanation"> <p><small>More information is available with DEBUG=True.</small></p> </div> </body> </html>

任何帮助将不胜感激！

Answer 1

您应该从您的设置中删除 CSRF_COOKIE_DOMAIN = "127.0.0.1" 。

Django 正在使用您的生产域寻找 CSRF 令牌 cookie，但由于您的设置，您的应用程序将 127.0.0.1 设置为 cookie 域，因此找不到它。 因此它返回 HTTP 403 并记录未设置 cookie。

如果你有 nginx 你需要把它添加到你的 Nginx 配置中

proxy_set_header X-Forwarded-Proto $scheme;