Forbidden (CSRF token missing or incorrect.)

5,716 views
Skip to first unread message

Rabah Saadi

unread,
Nov 21, 2018, 8:38:19 AM11/21/18
to Django users
Hello,

I've been using Django 2.2Dev for a while now, since April 2018, and it is working just fine (I got my reasons why Django Dev). But since the last git pull, it shows the CSRF token missing, on every page has a form with CSRF token.

Is there something broke or ... ? since My Django-2.2Dev before the last "git pull" was working just fine.

PS : Donwgrade to Django 2.1.3 stable, works fine too.

thank you.

Jason

unread,
Nov 21, 2018, 11:42:43 AM11/21/18
to Django users
sounds like you really should post this to the django-developers user group or the project bug tracker as a regression report.

Gear Crew

unread,
Nov 21, 2018, 12:24:54 PM11/21/18
to Django users
send us screenshot from issue  

Rabah Saadi

unread,
Nov 24, 2018, 8:07:52 AM11/24/18
to django...@googlegroups.com
Here the screenshots :
---------------------------------

(hellops-G3NgZpUh) rango@Pavilion:~/dev/hellops$ python manage.py runserver
Performing system checks…

System check identified no issues (0 silenced).
November 24, 2018 - 12:52:56
Django version 2.2.dev20181124001902, using settings 'hellops.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
[24/Nov/2018 12:53:01] "GET /static/assets/app/media/img/misc/user_profile_bg.jpg HTTP/1.1" 200 8192
[24/Nov/2018 12:53:02] "GET /accounts/logout/ HTTP/1.1" 302 0
[24/Nov/2018 12:53:02] "GET /accounts/login/ HTTP/1.1" 200 9208
[24/Nov/2018 12:53:02] "GET /static/assets/app/media/img/logos/logo-1.png HTTP/1.1" 200 3475
[24/Nov/2018 12:53:05] "POST /accounts/login/ HTTP/1.1" 302 0
[24/Nov/2018 12:53:05] "GET /dashboard/ HTTP/1.1" 200 233576
[24/Nov/2018 12:53:06] "GET /static/assets/vendors/custom/fullcalendar/fullcalendar.bundle.css HTTP/1.1" 200 8192
[24/Nov/2018 12:53:06] "GET /static/hellops-logos/x48/Peugeot-logo-x48.png HTTP/1.1" 200 5256
[24/Nov/2018 12:53:06] "GET /static/hellops-logos/x48/Volkswagen-logo-x48.png HTTP/1.1" 200 5465
[24/Nov/2018 12:53:06] "GET /static/hellops-logos/x48/Renault-logo-x48.png HTTP/1.1" 200 3717
[24/Nov/2018 12:53:06] "GET /static/assets/app/media/img/blog/blog1.jpg HTTP/1.1" 200 88643
[24/Nov/2018 12:53:06] "GET /static/assets/app/media/img/users/user1.jpg HTTP/1.1" 200 8583
[24/Nov/2018 12:53:06] "GET /static/assets/app/media/img/users/user5.jpg HTTP/1.1" 200 9674
[24/Nov/2018 12:53:06] "GET /static/assets/app/media/img/users/user4.jpg HTTP/1.1" 200 8627
[24/Nov/2018 12:53:06] "GET /static/assets/app/media/img/users/100_4.jpg HTTP/1.1" 200 11984
[24/Nov/2018 12:53:06] "GET /static/assets/app/media/img/users/100_11.jpg HTTP/1.1" 200 14410
[24/Nov/2018 12:53:06] "GET /static/assets/app/media/img/users/100_13.jpg HTTP/1.1" 200 17908
[24/Nov/2018 12:53:06] "GET /static/assets/app/media/img/users/100_14.jpg HTTP/1.1" 200 17255
[24/Nov/2018 12:53:06] "GET /static/assets/app/media/img/products/product6.jpg HTTP/1.1" 200 255923
[24/Nov/2018 12:53:06] "GET /static/assets/app/media/img/products/product11.jpg HTTP/1.1" 200 171862
[24/Nov/2018 12:53:06] "GET /static/assets/app/media/img/client-logos/logo1.png HTTP/1.1" 200 3392
[24/Nov/2018 12:53:06] "GET /static/assets/app/media/img/client-logos/logo2.png HTTP/1.1" 200 4231
[24/Nov/2018 12:53:06] "GET /static/assets/app/media/img/client-logos/logo3.png HTTP/1.1" 200 3405
[24/Nov/2018 12:53:06] "GET /static/assets/app/media/img/client-logos/logo5.png HTTP/1.1" 200 3051
[24/Nov/2018 12:53:06] "GET /static/assets/app/media/img/client-logos/logo4.png HTTP/1.1" 200 5461
[24/Nov/2018 12:53:06] "GET /static/assets/app/media/img/products/product10.jpg HTTP/1.1" 200 8192
[24/Nov/2018 12:53:07] "POST /dashboard/inc/api/datatables/demos/default.php HTTP/1.1" 404 3925
Forbidden (CSRF token missing or incorrect.): /vehicule/create/
[24/Nov/2018 12:53:08] "pagination%5Bpage%5D=1&pagination%5Bperpage%5D=10&sort%5Bsort%5D=asc&sort%5Bfield%5D=OrderID&query=GET /vehicule/create/ HTTP/1.1" 403 2536

--------
The last line was on red.
And the Browser output is :
------------------------------------

Forbidden (403)

CSRF verification failed. Request aborted.

Help

Reason given for failure:

    CSRF token missing or incorrect.

In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django's CSRF mechanism has not been used correctly. For POST forms, you need to ensure:

  • Your browser is accepting cookies.
  • The view function passes a request to the template's render method.
  • In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.
  • If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as well as those that accept the POST data.
  • The form has a valid CSRF token. After logging in in another browser tab or hitting the back button after a login, you may need to reload the page with the form, because the token is rotated after a login.

You're seeing the help section of this page because you have DEBUG = True in your Django settings file. Change that to False, and only the initial error message will be displayed.

You can customize this page using the CSRF_FAILURE_VIEW setting.

-------------------------------------

Any Idea ??

Thank you so much guys

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/a8478b26-3cb9-4a69-be6f-7345ab7ee597%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Rabah Saadi

unread,
Nov 28, 2018, 8:38:21 AM11/28/18
to Django users
Any Clue guys ??, Please

Andreas Schosser

unread,
Nov 29, 2018, 8:14:38 AM11/29/18
to django...@googlegroups.com
Hi Rabah,

I encountered a similar problem today and could pin it to the setting
"CSRF_COOKIE_SECURE = True". I don't use https on my development
machines so the cookie is not set. Changing the value to
"CSRF_COOKIE_SECURE = False" in my local settings solved it.

You may check, how you access your sites, by http or https.

Greetings,
Andreas

Zach

unread,
Nov 29, 2018, 11:58:12 AM11/29/18
to Django users
when using the development server over HTTP, don't set these values:
    CSRF_COOKIE_SECURE = True
    SESSION_COOKIE_SECURE = True

Rabah Saadi

unread,
Dec 2, 2018, 3:08:06 AM12/2/18
to Django users
Hi guys.

Thank you for the answers. I forgot to tell you that I hit the server in Developement and it is http. (local)

I did put these parameters in my settings.py :

CSRF_COOKIE_SECURE = False
SESSION_COOKIE_SECURE = False

but it keeps displaying the same message :

Forbidden (CSRF token missing or incorrect.): /vehicule/
[02/Dec/2018 08:03:10] "pagination%5Bpage%5D=1&pagination%5Bperpage%5D=10&sort%5Bsort%5D=asc&sort%5Bfield%5D=OrderID&query=GET /vehicule/ HTTP/1.1" 403 2536


but it display it just once this time after I pulled the last Django Dev from github, this is happening after I logged in and click on any page that has a CSRF it display a 403 page after I refresh the browser or reload it it, everythin works fine, you can click on whatever you want it will work fine.

so now just one time after logging in.

I'm using the built in logging django machinery (Views and URLs), not even my own views to manage logging.

Thank you guys.
 

Le mercredi 21 novembre 2018 05:38:19 UTC-8, Rabah Saadi a écrit :
Reply all
Reply to author
Forward
0 new messages