CSRF issue in default login

141 views
Skip to first unread message

Mike Kilmer

unread,
Jun 17, 2022, 11:48:22 AM6/17/22
to django...@googlegroups.com, chris angelico, Jean Wainer
Hi.

I'm fairly new to Django. Here's what I need insight on:

Local server, no issue.

On production: CSRF 403 error on login.

There's a cookie loaded on the login page containing csrftoken: pAFeeUI8YFXZ2PKRYxOTX1qz4Xgto42WVNi7FFvBlZDqcFLwQ2rdQvVeZBHFSpLW

(Local and Session storage are empty)

In the FORM element:

<input type="hidden" name="csrfmiddlewaretoken" value="Vz4FiujD4qkLpxCwWNJU0HCWs4u0Qf4RrMHyJf66rK0cznDbOimeTb7BnIVckANR">

Notice they don't match.

I tried running ./migrate.py clearsessions.

Once, yesterday, it seemed that the error did not occur in an Incognito Window, but today it persists even in an incognito window, as well as a different browser.

One additional piece of information, I have allauth installed, but it doesn't seem to be correctly configured. It's login page is not loading.

Additionally, the problem was there even when I removed allauth from Apps and Authentication Backends.

Thanks much.

–Mike

rahul sharma

unread,
Jun 17, 2022, 11:51:24 AM6/17/22
to django...@googlegroups.com
 {% crsf_token %} use this action form down


--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/551AFE93-8B25-4CB9-8D3F-F1BF1EC4F585%40mzoo.org.

Mike Kilmer

unread,
Jun 17, 2022, 12:22:49 PM6/17/22
to Django users
By the way, using Django 4.0. 

Thanks, Rahul. 

I believe this is a default Django template, and wouldn't the fact the the page/form creates a cookie be a sign that that action triggered by `{% crsf_token %}` has taken place?

rahul sharma

unread,
Jun 17, 2022, 12:27:21 PM6/17/22
to django...@googlegroups.com
Html form like action form use 

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/4522cbf1-cb66-49a2-b033-d438dd5b7200n%40googlegroups.com.

Mike Kilmer

unread,
Jun 17, 2022, 12:36:01 PM6/17/22
to Django users
So, where would I be putting {% crsf_token %}? Do I need to manually overwrite Django's default login form in order for it to contain this?

mike vickers

unread,
Jun 17, 2022, 1:25:29 PM6/17/22
to django...@googlegroups.com
I was having a similar issue after setting up https with certbot. After searching around, I found adding this to settings worked.

CSRF_TRUSTED_ORIGINS = ["https://yourdomain.com", "https://www.yourdomain.com"]
I'd be curious to hear from others, because I'm not an expert in how to best set up django for production.

Mike Kilmer

unread,
Jun 17, 2022, 1:29:04 PM6/17/22
to Django users
That sounds hopeful. Where do you put that config? Settings.py?

Mike Kilmer

unread,
Jun 17, 2022, 1:39:31 PM6/17/22
to Django users
Success! `CSRF_TRUSTED_ORIGINS = ["https://yourdomain.com", "https://www.yourdomain.com"]` and https://stackoverflow.com/a/70518254/2223106 did the trick!

Abul Kashim 1811949642

unread,
Jun 17, 2022, 4:10:16 PM6/17/22
to Django users
I have basic to intermediate knowledge on Django, but don't find any entry level job to master my django knowledge in my country, can any one suggest me where I can get some project or industry level job in django , please. I am badly need that

Mike Kilmer

unread,
Jun 17, 2022, 6:35:16 PM6/17/22
to Django users
If you're interested in some piecemeal work, I could use some help. mike at mzoo.org.

rahul sharma

unread,
Jun 22, 2022, 4:54:43 AM6/22/22
to Django users

yes
Reply all
Reply to author
Forward
0 new messages