CSRF cookie not set issue
1,274 views
Skip to first unread message
kany...@fonality.com
Sep 10, 2015, 11:16:11 AM9/10/15
to Django users
First of all I have done my research and found no reasonable explanation for my issue. I have a site on heroku that works fine on the first page, but when I click a button that I have programmed to go to another page, I obtain the infamous CSRF error. The reason for this error is CSRF cookie is not set. Here is a description of the background work done on the dev side:
1. Settings.py
MIDDLEWARE_CLASSES = (
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
#'django.middleware.security.SecurityMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
)
2. base.py
<form class="col-lg-12" method = "post" id="loginform" action= "/menu/">
{% csrf_token %}
<div class="input-group" style="width: 65%;0px;text-align:center;margin:0 auto;">
<input class="form-control input-lg" title="Don't worry. We hate spam, and will not share your email with anyone." placeholder="Email address" type="text">
</div>
<br>
<div class="input-group" style="width: 65%;0px;text-align:center;margin:0 auto;">
<input class="form-control input-lg" title="Don't worry. We hate spam, and will not share your email with anyone." placeholder="Password" type="text">
</div>
<br>
<br>
<button class="btn btn-lg btn-primary" style = "width: 100px" type="button" onClick ="logIn();">Log In</button>
<br><br>
</form>
3. views.py
def menu(request):
return render_to_response('home/base_1.html', context_instance = RequestContext(request, {}) )
4. javascript for the function logIn() that is executed when the button is clicked from (2)
function logIn ()
{
alert('Form has been submitted');
document.getElementById('loginform').submit();
}
I am seriously bewildered and cannot understand why the base_1.html site is not being rendered and I am getting this CSRF error ! Please help me,
1. Settings.py
MIDDLEWARE_CLASSES = (
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
#'django.middleware.security.SecurityMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
)
2. base.py
<form class="col-lg-12" method = "post" id="loginform" action= "/menu/">
{% csrf_token %}
<div class="input-group" style="width: 65%;0px;text-align:center;margin:0 auto;">
<input class="form-control input-lg" title="Don't worry. We hate spam, and will not share your email with anyone." placeholder="Email address" type="text">
</div>
<br>
<div class="input-group" style="width: 65%;0px;text-align:center;margin:0 auto;">
<input class="form-control input-lg" title="Don't worry. We hate spam, and will not share your email with anyone." placeholder="Password" type="text">
</div>
<br>
<br>
<button class="btn btn-lg btn-primary" style = "width: 100px" type="button" onClick ="logIn();">Log In</button>
<br><br>
</form>
3. views.py
def menu(request):
return render_to_response('home/base_1.html', context_instance = RequestContext(request, {}) )
4. javascript for the function logIn() that is executed when the button is clicked from (2)
function logIn ()
{
alert('Form has been submitted');
document.getElementById('loginform').submit();
}
I am seriously bewildered and cannot understand why the base_1.html site is not being rendered and I am getting this CSRF error ! Please help me,
kany...@fonality.com
Sep 10, 2015, 11:18:20 AM9/10/15
to Django users
By the way, I am using Django 1.8.3 (final)
monoBOT
Sep 10, 2015, 11:51:05 AM9/10/15
to django...@googlegroups.com
show us the base_1.html
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/14ec3bc1-c7ff-4d3e-8065-9eae959720fc%40googlegroups.com.--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
monoBOT
Visite mi sitio(Visit my site): monobotsoft.es/blog/
Kevin Anyanwu
Sep 10, 2015, 11:35:05 PM9/10/15
to django...@googlegroups.com
base_1.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta charset="utf-8">
<title>goals</title>
<meta name="generator" content="Bootply" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<!--[if lt IE 9]>
<script src="//html5shim.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->
<!-- Custom CSS -->
<link href="../../static/css/app.css" rel="stylesheet">
</head>
<body>
<div id="menu" class="default">
<ul>
<li><a href="#">Cirriculmn</a></li>
<li><a href="#">Notes</a></li>
<li><a href="#">Collaborte</a></li>
</div>
<!-- script references -->
<script type="text/javascript" src="jquery.min.js" charset="utf-8"></script>
<script src="//ajax.googleapis.com/ajax/libs/jquery/2.0.2/jquery.min.js"></script>
<script src="../../static/assets/js/bootstrap.min.js"></script>
<script src="../../static/assets/js/menubar.js"></script>
</body>
</html>
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta charset="utf-8">
<title>goals</title>
<meta name="generator" content="Bootply" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<!--[if lt IE 9]>
<script src="//html5shim.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->
<!-- Custom CSS -->
<link href="../../static/css/app.css" rel="stylesheet">
</head>
<body>
<div id="menu" class="default">
<ul>
<li><a href="#">Cirriculmn</a></li>
<li><a href="#">Notes</a></li>
<li><a href="#">Collaborte</a></li>
</div>
<!-- script references -->
<script type="text/javascript" src="jquery.min.js" charset="utf-8"></script>
<script src="//ajax.googleapis.com/ajax/libs/jquery/2.0.2/jquery.min.js"></script>
<script src="../../static/assets/js/bootstrap.min.js"></script>
<script src="../../static/assets/js/menubar.js"></script>
</body>
</html>
--
You received this message because you are subscribed to a topic in the Google Groups "Django users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-users/scpBffl8s3A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CA%2BxOsGCqOXSCs7dFDTNNfgEgKHk2vsbXNEmFN4LpkgNabgjVNA%40mail.gmail.com.
Kevin Anyanwu
Sep 11, 2015, 10:56:43 PM9/11/15
to django...@googlegroups.com
Can anyone help ?
James Schneider
Sep 12, 2015, 3:57:25 AM9/12/15
to django...@googlegroups.com
In the rendered version sent to the browser, are you able to validate that the CSRF token is actually being created and inserted as a hidden element in your form?
Also, it doesn't look like any of your buttons are marked as type=submit. Not sure if that matters when submitting via JS though.
-James
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAE1x1E12Yg%3DJWs9Q1vgnVwgJkBLOxU9CKjij5POzQUXFERDkEw%40mail.gmail.com.
Kevin Anyanwu
Sep 12, 2015, 8:53:32 PM9/12/15
to django...@googlegroups.com
Hi James,
Thanks for the response... I opened the *rendered* source page in Mozilla and couldn't find the csrf_token even though I had already added the { % csrf_token %} . Something seems wrong. Any suggestions moving forward ?
Thanks for the response... I opened the *rendered* source page in Mozilla and couldn't find the csrf_token even though I had already added the { % csrf_token %} . Something seems wrong. Any suggestions moving forward ?
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CA%2Be%2BciWEmRN91O7kL3E2zXZy8Tr3WrsNCFAucODvVssb1gyTZw%40mail.gmail.com.
James Schneider
Sep 13, 2015, 4:11:25 AM9/13/15
to django...@googlegroups.com
Comments in several places inline below:
Thanks for the response... I opened the *rendered* source page in Mozilla and couldn't find the csrf_token even though I had already added the { % csrf_token %} . Something seems wrong. Any suggestions moving forward ?
You should be seeing a hidden element after your opening <form> tag that replaces the {% csrf_token %} that looks something like this:
<input name="csrfmiddlewaretoken" value="Pm1X5O8teUDDU6WCzjP13fBzlrcoLLXZ" type="hidden">
If you aren't seeing that, chances are your form submission is not going to work since the CSRF token isn't being generated properly.
Are you sure that base_1.html template is correct? There is no reference to a <form> anywhere in that template. There's also no obvious reference to any JS files that would run the submit function that you are talking about.
Are you inserting the form via JS? If so, you'll need to manually populate the CSRF hidden input and/or include the CSRF token in your AJAX response headers. Django won't do this for you unless you specifically write a view to generate the HTML on the server side and send it as a response to an AJAX request, which doesn't appear to be the case.
2015-09-10 16:18 GMT+01:00 <kany...@fonality.com>:By the way, I am using Django 1.8.3 (final)
On Thursday, September 10, 2015 at 8:16:11 AM UTC-7, kany...@fonality.com wrote:First of all I have done my research and found no reasonable explanation for my issue. I have a site on heroku that works fine on the first page, but when I click a button that I have programmed to go to another page, I obtain the infamous CSRF error. The reason for this error is CSRF cookie is not set. Here is a description of the background work done on the dev side:
1. Settings.py
MIDDLEWARE_CLASSES = (
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
#'django.middleware.security.SecurityMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
)
One other thing I noticed is that you have 'django.middleware.csrf.CsrfViewMiddleware' defined twice in MIDDLEWARE_CLASSES. Not sure if that is related, but you should remove the bottom entry anyway.
2. base.py
<form class="col-lg-12" method = "post" id="loginform" action= "/menu/">
{% csrf_token %}
<div class="input-group" style="width: 65%;0px;text-align:center;margin:0 auto;">
<input class="form-control input-lg" title="Don't worry. We hate spam, and will not share your email with anyone." placeholder="Email address" type="text">
</div>
<br>
<div class="input-group" style="width: 65%;0px;text-align:center;margin:0 auto;">
<input class="form-control input-lg" title="Don't worry. We hate spam, and will not share your email with anyone." placeholder="Password" type="text">
</div>
<br>
<br>
<button class="btn btn-lg btn-primary" style = "width: 100px" type="button" onClick ="logIn();">Log In</button>
<br><br>
</form>
Where exactly is base.py used? None of your other code that you've posted references it. You'll need to make sure that you are invoking the template engine using RequestContext if you want the {% csrf_token %} tag to work.
Also, base.py appears to be entirely made up of HTML?? Did you mean base.html here?
3. views.py
def menu(request):
return render_to_response('home/base_1.html', context_instance = RequestContext(request, {}) )
Is there another view in play? This view uses base_1.html, but as I mentioned earlier, base_1.html doesn't have any form references. It also won't do anything with the data submitted in the form.
4. javascript for the function logIn() that is executed when the button is clicked from (2)
function logIn ()
{
alert('Form has been submitted');
document.getElementById('loginform').submit();
}
I think this will work, but as an end-user, I despise any site that makes use of alert(). Just sayin'...
I am seriously bewildered and cannot understand why the base_1.html site is not being rendered and I am getting this CSRF error ! Please help me,
So am I. Can you post the urls.py, views.py, forms.py, models.py, and related templates for the form page? That is likely where your problem lies (since the issue appears to be related to submitting the form, so the landing page can be taken out of the equation for now).
Also, this page may be a good reference for CSRF issues if you haven't seen it already: https://docs.djangoproject.com/en/1.8/ref/csrf/
-James
Reply all
Reply to author
Forward
0 new messages