CSRF verification failed when I use smart phone

[Sugita Shinsuke]

Hello.

When I use Django via my smart phone Android and iOS.

The error sometimes occurred.

Forbidden (403)
CSRF verification failed. Request aborted.
Help
Reason given for failure:
CSRF token missing or incorrect.

In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django's CSRF mechanism has not been used correctly. For POST forms, you need to ensure:
Your browser is accepting cookies.
The view function uses RequestContext for the template, instead of Context.
In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.
If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as well as those that accept the POST data.
You're seeing the help section of this page because you have DEBUG = True in your Django settings file. Change that to False, and only the initial error message will be displayed.
You can customize this page using the CSRF_FAILURE_VIEW setting.

I append django.middleware.csrf.CsrfViewMiddleware', of MIDDLEWARE_CLASSES in settings.py

I use

Python 2.7.5

Django 1.6.4

Anyone who know this matter, please help.

[Vijay Khemlani]

¿Did you include de {% csrf_token %} tag in the form? ¿Is it generating the corresponding hidden input tag in the html?

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/e0db1d43-8897-40fc-be1d-65c76d9da503%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Sugita Shinsuke]

Hello Vijay Khemlani 

Thank you for replying.

But, of cause I appended the tag in my form like below

    <div class="container">

        <form method="POST" action=".">{% csrf_token %}

but I wonder about that using the iframe is bad.

The form is child of iframe.

I also checked Chrome's developer tool.

The csrf token was saved in the cookie.

2015年1月6日火曜日 23時00分10秒 UTC+9 Vijay Khemlani:

[Abraham Varricatt]

Can it be possible that you are rendering a different template (without CSRF) for the mobile version?

-Abraham V.

[Zach Borboa]

Mobile device could also be caching an incorrect csrf token.

[Sugita Shinsuke]

Hello Abraham V.

Thank you for replying.

It is nice idea. 

But, PC version also sometimes happened. less than Mobile


2015年1月8日木曜日 20時09分11秒 UTC+9 Abraham Varricatt:

[Sugita Shinsuke]

Hi Zach Borboa

Thank you for replying.

Do you mean that both of PC and Mobile device are caching an incorrect csrf token?

I use iframe.

Child frame html page uses form, and can it use csrf?

2015年1月9日金曜日 15時14分55秒 UTC+9 Zach Borboa:

[James Schneider]

Is the iframe sourced from the same domain as the main page that was requested in the address bar? Is the action for the form pointing at a different domain than the one that generated it?

-James

Mobile device could also be caching an incorrect csrf token.

--

You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/a2f6a467-5530-44ec-841c-9599e66456bf%40googlegroups.com.

[Pouria M]

Hi Everyone, 

I am facing a similar issue ... CSRF verification fails on IOS using chrome ... 

Appreciate any insights 

p

[Zach Borboa]

For anyone trying to debug this issue, you may want to print out the variable using {{ csrf_token }} as well as using {% csrf_token %} on the form to verify the token is correct.

[Pouria M]

Thanks Zach. 

What are your thoughts after this test? if they match or if they don't match

[Zach Borboa]

What you want to compare is the expected token value and the token value the view received (via POST, PUT, DELETE, etc.). These values need to match. Printing out the token via {{ csrf_token }} in the template will show you the token that the view will receive when the form is submitted. This submitted value needs to match the value in the cookie named csrftoken.

[Zach Borboa]

Here's an example of the csrf cookie value obtained by typing document.cookie in the javascript console.

[Michael Greer]

We have started seeing this behavior occasionally. No code change in this area, but sometimes (esp on phones) the CSRF cookie is wrong.

Our guess is too many cookies on the domain, but it is difficult to prove this. Indeed, opening a new browser session resolves it... temporarily.

-Mike

[Gergely Polonkai]

I had this error when I had two Django application with the same domain and both with the same (default) CSRF cookie name. Changing the cookie name to something different solved the issue.

--

You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/89d20584-d3bf-4104-b642-0f519c4deb10%40googlegroups.com.

[Wim Feijen]

Thanks Gergely, 

That solved it for me. 

Wim

[Michael Greer]

BTW, it turned out to be a cookie parsing error in python for us, only recently solved, in which Python incorrectly balked at parsing the "[" character in cookie values and then threw out the remaining cookies.

This has been fixed in 2.7.10 (and new versions of 3) but is not yet in Debian stable.

-Mike

--
You received this message because you are subscribed to a topic in the Google Groups "Django users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-users/rNWGZNfJMhE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to django-users...@googlegroups.com.

To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/4e3014c1-5753-405e-9341-de8c1f62c750%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

--------------------------

Michael Greer

CTO & Co-Founder

TAPP TV

mic...@tapptv.com

[Robert F.]

Make sure you aren't blocking cookies on whatever device is giving you problems.  You'll get this error if you are blocking them.

[Aldian Fazrihady]

Please make sure csrftoken cookie is returned to the Android app

Regards, 

Aldian Fazrihady

--

You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.

Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/cb4f6aba-85e6-4105-9fe4-b3cbcddca727%40googlegroups.com.

[Anirudh Jain]

Are you using it as a website or mobile app? If it is website then try logging out and login again. You might have logged in as another user or it might be a caching problem.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAN7EoAaW4%2BnBcppcvPWwxTO9EGHV2UjpM3-TChkZv2Cjp5uqow%40mail.gmail.com.