Forbidden (403) CSRF verification failed. Request aborted. Even using the {% csrf_token %}

by

Theory

A couple of things are required to make the csrf protection work (check out the docs):

  1. Your browser has to accept cookies from your server
  2. Make sure you have ‘django.middleware.csrf.CsrfViewMiddleware' included as middleware in your settings.py (alternatively use the decorator csrf_protect() on particular views you want to protect)
  3. Make sure you pass on the csrf token from django.core.context_processors.csrf to the context manager.

When you load your page, have a look in the page source using your favorite browser. Don’t open the template html file, open the url which point to the view containing the form. Look at where you placed the {% csrf_token %}. If you see something like

<input type="hidden" name="csrfmiddlewaretoken" value="jdwjwjefjwdjqwølksqøwkop2j3ofje" />

you should be ok.

If you on the other hand see NOTPROVIDED, something has gone wrong while creating the csrf token. By looking in the source code (context_processors.py and csrf.py), we can find out what:

  • csrf(request) returns {'csrf_token': 'NOTPROVIDED'} if get_token(request) returns None.
  • get_token(request) returns request.META.get("CSRF_COOKIE", None).

I assume this means that it would return None if the cookie isn’t successfully created.

Fix

For you, this means that you should first replace

<form action="/accounts/auth/" method="post" {% csrf_token %}>

with

<form action="/accounts/auth/" method="post">
{% csrf_token %}
(...)
</form>

We’d like the csrf field to be inside <form>...</form>, not inside <form>. As the code is at the moment, it will be converted to

<form action="/accounts/auth/" method="post" <input type="hidden" name="csrfmiddlewaretoken" value="randomchars" />>

and we would rather like

<form action="/accounts/auth/" method="post">
<input type="hidden" name="csrfmiddlewaretoken" value="randomchars" />

After that – have a look at the source code, and see if you can find the csrf field. If you can see it, everything should work in theory.

You can also check that the csrf cookie has been set in your browser, e.g. in Chrome, right-click the web page, and select Insepect Element. Select the Resources tab, and click on cookies. You should find a cookie name csrftoken there.

If you still have problems, double-check the middleware tuple in your settings.py and double-check that your browser accept cookier from your server as described above.

More Related Contents:

  1. CSRF verification failed. Request aborted
  2. Django CSRF check failing with an Ajax POST request
  3. Django SMTPAuthenticationError
  4. How to check if a user is logged in (how to properly use user.is_authenticated)?
  5. Accepting email address as username in Django
  6. Django: signal when user logs in?
  7. User Registration with error: no such table: auth_user
  8. CSRF Token missing or incorrect
  9. CSRF validation does not work on Django using HTTPS
  10. Running a specific test case in Django when your app has a tests directory
  11. Change a Django form field to a hidden field
  12. Get the latest record with filter in Django
  13. Django Setup Default Logging
  14. Making django server accessible in LAN
  15. Django Admin: Using a custom widget for only one model field
  16. Where should utility functions live in Django?
  17. Generic many-to-many relationships
  18. Django viewset has not attribute ‘get_extra_actions’
  19. ValueError – Cannot assign: must be an instance
  20. Embedding a Plotly chart in a Django template
  21. Django – New fonts?
  22. Django: Increment blog entry view count by one. Is this efficient?
  23. How to validate uniqueness constraint across foreign key (django)
  24. Django + MySQL on Mac OS 10.6.2 Snow Leopard
  25. Nothing happens when I do: python manage.py command
  26. How to store a dictionary on a Django Model?
  27. Single Django model, multiple tables?
  28. How can I use redis with Django?
  29. update django database to reflect changes in existing models
  30. Django admin – inline inlines (or, three model editing at once)

Leave a Comment