Hi,
We are seeing a strange issue with CSRF in Django. We are using Django 1.8.4.
Ours is an ecommerce site which has been up since an year. We have been observing 403 CSRF errors now and then for form posts. But the issue is intermittent and suddenly pops up. I mean the form posts work fine for days/weeks but then suddenly the CSRF error starts showing up. On digging further, when we check the POST request in inspect element, the CSRF shows in the post and cookie:
Cookie:QGUserId=%220319088571507253%22; mailer_popup=no;
sessionid=si11ft0y1w6fr1ostgd9yd0yi88xpyo9;
ga=GA1.3.133645024.1488272511; jivaana_country=IN;
jivaana_last_visited_page=/product/traditional-maharastrian-earrings-green-12629/;
jivaana_last_visited_product=Traditional Maharastrian Earrings - Green;
jivaana_last_visited_image=undefined; last_session_reminder=1;
jivaana_last_visited_catalogue=/footwear/juttis/;
oscar_history="[6251\054 11144\054 8724\054 17749\054 7849\054 11402]";
jivaana_product_list=[{"page":"/product/electric-daisy-11402/","name":"Blue
Juttis - Electric Daisy","image":"
http://www.jivaana.com/cache/74/d0/electric-daisy_juttis_red-pink-black-green-yellow_147937470755-74d09c587f73dc8135e005422b9e6b59.jpg"}]; cart_prod_title=Blue Juttis - Electric Daisy; cart_prod_image=
http://www.jivaana.com/cache/74/d0/electric-daisy_juttis_red-pink-black-green-yellow_147937470755-74d09c587f73dc8135e005422b9e6b59.jpg;
cart_session_reminder=1;
messages="03d4207b1d9610be355acf1ee7667642dbace557$[[\"__json_message\"\0541\05425\054\"\\n\\n\\n
\\n <strong>Blue Juttis - Electric Daisy</strong> has
been added to your cart.\\n \\n\\n\"\054\"safe
noicon\"]\054[\"__json_message\"\0541\05420\054\"\\n\\n\\n<p>\\n
\\n \\n \\n Your cart total is now
<strong>\\u00a0\\u20b94\054020</strong>\\n \\n
\\n \\n</p>\\n\\n\"\054\"safe noicon\"]]"; gat_tw=1;
qg_identified=true; csrftoken=NnjVnLA5tUW8DEQhuUx3wtZJxbIYx1ex; gat=1;
_ga=GA1.2.133645024.1488272511
view URL encoded
csrfmiddlewaretoken:NnjVnLA5tUW8DEQhuUx3wtZJxbIYx1ex
form-TOTAL_FORMS:2
form-INITIAL_FORMS:2
form-MIN_NUM_FORMS:0
form-MAX_NUM_FORMS:1000
form-0-quantity:2
form-0-id:46476
form-1-quantity:1
form-1-id:49589
But when I dump the request log in the Django server, the csrftoken cookie is missing:
csrfmiddlewaretoken=NnjVnLA5tUW8DEQhuUx3wtZJxbIYx1ex&form-TOTAL_FORMS=2&form-INITIAL_FORMS=2&form-MIN_NUM_FORMS=0&form-MAX_NUM_FORMS=1000&form-0-quantity=2&form-0-id=46476&form-1-quantity=1&form-1-id=49589 [0m
{'jivaana_last_visited_page': '/product/traditional-maharastrian-earrings-green-12629/', 'jivaana_last_visited_image': 'undefined', 'jivaana_country': 'IN', 'last_session_reminder': '1', '_ga': 'GA1.3.133645024.1488272511', 'mailer_popup': 'no', 'sessionid': 'si11ft0y1w6fr1ostgd9yd0yi88xpyo9', 'QGUserId': '%220319088571507253%22', 'jivaana_last_visited_product': 'Traditional', 'oscar_history': '[6251, 11144, 8724, 17749, 7849, 11402]', 'jivaana_last_visited_catalogue': '/footwear/juttis/'}
The log is getting dumped in Django Middleware, hence, not sure if Django Strips off the csrftoken cookie from request. If Django is not stripping off the CSRF cookie, then this is an issue with CSRF and the missing csrftoken cookie explains the 403 forbidden error.
On clearing browser cache, the form POST starts working again.
I am not sure why the above is happening and hence, was wondering if anyone has faced similar issue and have an answer/solution to the above. The above issue occurs only for few users (not all) but its affecting our business.
Also, when the 403 CSRF occurs, Django throws a DEBUG page with following content:
CSRF Verification failed. Request aborted.......You are seeing this page because you have DEBUG=TRUE.
The above error page should not occur as in our production DEBUG is set to False.
Would appreciate if someone could throw some light on the above issues.
Thanks.
