CSRF token missing or incorrect when uploading large file through admin interface

[Duncan Mortimer]

Hi,

I've developed a software download site using Django 1.11 running on mod_wsgi. We are using the admin site to upload new software releases that are then indexed for download at a later date via Apache (not involving Django).

Files are uploaded via the TemporaryFileHandler and then a post save handler calculates a SHA256 sum for insertion into the DB record.

We have been seeing an CSRF issue when uploading large releases (2-3GB in size). They upload perfectly fine when submitted on the development machine using runserver with the MySQL DB, source file and upload destination all being local. We have now deployed this to the production site and initially discovered that any significant upload with Safari would fail. Chrome worked fine - you got the file upload progress bar that Chrome provides then a pause whilst the file was copied to the media root and then checksummed. I've also had reports of Firefox working too (but without the upload progress bar).

Today I had a need to upload a new version of one of the software packages and cannot get this to succeed in any browser, all take you back to the page I created for CSRF errors and the server logs show:

[27/Apr/2017 15:04:38] WARNING [django.security.csrf:160] Forbidden (CSRF token missing or incorrect.): /app_url/admin/app/modelname/instanceid/change/

I've checked in the browser and both cookie and CSRF form fields are present. I'm assuming this must be some time related issue as an upload would typically take around 1-2 minutes.

Does this sound like a Django bug or have I missed something obvious?

Regards,

Duncan

[ludovic coues]

Related to your problem, I wonder if it's the same instance of django handling serving the form and handling saving the file. Different instance of django might expect different token.

Less related to your issue, I suggest that you have a look at butler, an open source project from itch.io. For context, itch.io is a website for distribution of indie media, mainly games. Butler is a command line tools which let authors only upload the difference between version while the website build the full thing for download. The results is much faster upload and reduced bandwidth usage.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/032beb69-6978-479d-a6b0-d7d5834a3b06%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.