Only Two Users Get : Forbidden (403) CSRF verification failed. Request aborted. Options
141 views
Skip to first unread message
Johan
May 10, 2012, 10:56:13 AM5/10/12
to Django users
Hi
Does anybody maybee have some pointers for me? I have a site up and
running and it has worked perfectly for hundreds of users. Except that
today I got two users (from the same company, although others from the
same company has used it perfectly well) who are getting the [CSRF
verification failed] issue. I have looked in my access.log and it
seems like all the requests around the time of the failure is coming
from the same IP so I don't suspect a genuine CSRF. Also I know that
the coding is according to the documentation because so many others
has used this same form without any issues. Any help or hints would be
appreciated ....
Thanks
Does anybody maybee have some pointers for me? I have a site up and
running and it has worked perfectly for hundreds of users. Except that
today I got two users (from the same company, although others from the
same company has used it perfectly well) who are getting the [CSRF
verification failed] issue. I have looked in my access.log and it
seems like all the requests around the time of the failure is coming
from the same IP so I don't suspect a genuine CSRF. Also I know that
the coding is according to the documentation because so many others
has used this same form without any issues. Any help or hints would be
appreciated ....
Thanks
Nikolas Stevenson-Molnar
May 10, 2012, 12:24:13 PM5/10/12
to django...@googlegroups.com
Django uses cookies for CSRF. Is it possible these two users have
cookies disabled?
https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-it-works
_Nik
cookies disabled?
https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-it-works
_Nik
Johan
May 11, 2012, 2:56:50 AM5/11/12
to django...@googlegroups.com
Hi thanks for the quick reply. After some more investigation I am quite sure that this is exactly the issue. Thanks again for the quick reply. Now to just find an elegant way to let the user know that they need to have Cookies enabled to access my site :)
Sebastian Goll
May 11, 2012, 4:21:58 AM5/11/12
to django...@googlegroups.com
On Thu, 10 May 2012 23:56:50 -0700 (PDT)
Johan <djjo...@gmail.com> wrote:
> Hi thanks for the quick reply. After some more investigation I am quite
> sure that this is exactly the issue. Thanks again for the quick reply. Now
> to just find an elegant way to let the user know that they need to have
> Cookies enabled to access my site :)
You could specify the CSRF_FAILURE_VIEW setting in your settings.py to
Johan <djjo...@gmail.com> wrote:
> Hi thanks for the quick reply. After some more investigation I am quite
> sure that this is exactly the issue. Thanks again for the quick reply. Now
> to just find an elegant way to let the user know that they need to have
> Cookies enabled to access my site :)
point to a custom view that renders a simple template telling the user
that they need cookies enabled. For instance:
# setting.spy
CSRF_FAILURE_VIEW = 'app.views.csrf_failure'
# app/views.py
from django.shortcuts import render
def csrf_failure(request, reason=None):
# Use status code 403 Forbidden here.
return render(request, 'csrf.html', status=403)
# templates/csrf.html
Some text explaining that cookies need to be enabled.
Best wishes,
Sebastian.
Reply all
Reply to author
Forward
0 new messages