Forbidden (403) csrf Verification Failed. Request aborted. Solution

Source: Internet
Author: User
Tags csrf attack

For blog reposted, please indicate the source!

Author: Yu XiaoYu

Link: http://blog.csdn.net/zgyulongfei/article/details/8830750


Let me restore the error page first:



This mistake left me alone for a long morning. I searched for a lot of answers on the Internet, and the general solution was the same. I followed them, but the error still exists.

Then Jack helped solve the problem.

I used to put the last mile in my previous solution. I didn't know the csrf principle of Django, So I went blind there, wasting a lot of time.

Next, let me talk about the problem. If you and I make the same mistake, you can make a reference.


First, I made test.html, as follows:

<! Doctype> <HTML lang = "ZH-CN"> 

The access time is xx.xx.com/post, and the execution region is

def post_html(rq):return render_to_response("test.html") 

This form already contains TAG {% csrf_token %}. This is the tag that needs to be added in the online solution.

Click the publish button to submit the form and execute the/postblog operation. Next, let's take a look at the server code.

First add in settings. py

django.middleware.csrf.CsrfViewMiddleware

MIDDLEWARE_CLASSES = (    'django.middleware.common.CommonMiddleware',    'django.contrib.sessions.middleware.SessionMiddleware',    'django.middleware.csrf.CsrfViewMiddleware',    'django.contrib.auth.middleware.AuthenticationMiddleware',    'django.contrib.messages.middleware.MessageMiddleware',    # Uncomment the next line for simple clickjacking protection:    # 'django.middleware.clickjacking.XFrameOptionsMiddleware',)

See URLs. py again

 url(r'^postblog$','postBlog')

View views. py

def postBlog(rq):return render_to_response('ok.html', context_instance=RequestContext(rq))

For a Django beginner, everything is done according to the help on the error page. Why is the result still wrong?

A: Because, from the very beginning, the HTML page is wrong, and I am trying to remedy the problem on the premise of the error, so I cannot save it.


Experienced Django developers should see the root cause of the error at a glance.

In fact, {% csrf_token %} in the form has been assigned a value when the HTML page is loaded, and the assigned csrf_token needs to be sent to the server for verification during post, if the verification is successful, the post operation can be performed. Otherwise, it is considered a csrf attack.

In the above text, test.html does not initially provide a csrf_token by the server, so it cannot be successfully verified during post.

Context_instance = requestcontext (RQ) is used to assign values to the csrf_token, but the assignment operation is carried out after post in the above text, the correct operation is to assign a value when the HTML page is opened before post.


You only need to modify the post_html method:

def post_html(rq):return render_to_response("test.html",context_instance=RequestContext(rq)) 

Above.


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.