Android browser and csrf protection
89 views
Skip to first unread message
Ivan Uemlianin
Oct 19, 2011, 10:17:13 AM10/19/11
to Django users
Dear All
I have a django webapp with a very simple login page, a form with
username, password and the {% csrf %} tag. The page works as expected
when using Chrome, Firefox and Safari, but when trying to login from
my Android phone browser, the page returns the "CRSF verification
failed" error page (django running debug=True for the moment).
However, I have been logged in: if I reload the page, I get the page I
was expecting, along with the user details.
eg.com/login/ # ok, enter username "tu01", password, send
eg.com/profile/ # error: csrf verification failed, reload
eg.com/profile/ # ok, "tu01"'s homepage
Has anyone else had odd behaviour like this from the Android browser?
Can anyone suggest what might be the problem?
(Haven't tested with iPhone or Blackberry yet, will do do this
evening).
With thanks and best wishes
Ivan
I have a django webapp with a very simple login page, a form with
username, password and the {% csrf %} tag. The page works as expected
when using Chrome, Firefox and Safari, but when trying to login from
my Android phone browser, the page returns the "CRSF verification
failed" error page (django running debug=True for the moment).
However, I have been logged in: if I reload the page, I get the page I
was expecting, along with the user details.
eg.com/login/ # ok, enter username "tu01", password, send
eg.com/profile/ # error: csrf verification failed, reload
eg.com/profile/ # ok, "tu01"'s homepage
Has anyone else had odd behaviour like this from the Android browser?
Can anyone suggest what might be the problem?
(Haven't tested with iPhone or Blackberry yet, will do do this
evening).
With thanks and best wishes
Ivan
Ivan Uemlianin
Oct 20, 2011, 6:02:54 AM10/20/11
to Django users
Dear All
Just to follow up slightly:
- iPhone and Blackberry browsers access the site properly;
- the Android browser gets the csrf errors with django 1.2 and django
1.3
- with another site I'd developed earlier on django 1.2, the Android
browser passes csrf verification properly.
- the "failing" site is on webfaction, the Working" site is on a bare
machine (centos, nginx, etc).
Does anyone have any suggestions as to what's going on? Why should
the Android browser be behaving differently to all the others?
Best wishes
Ivan
Just to follow up slightly:
- iPhone and Blackberry browsers access the site properly;
- the Android browser gets the csrf errors with django 1.2 and django
1.3
- with another site I'd developed earlier on django 1.2, the Android
browser passes csrf verification properly.
- the "failing" site is on webfaction, the Working" site is on a bare
machine (centos, nginx, etc).
Does anyone have any suggestions as to what's going on? Why should
the Android browser be behaving differently to all the others?
Best wishes
Ivan
Reply all
Reply to author
Forward
0 new messages