响应标头和浏览器cookie中的csrf令牌值不同。 django 1.9中的csrf验证失败 [英] Different value of csrf token in response header and browser cookies. csrf verification failing in django 1.9

问题描述

大多数SO答案都要求清除cookie和确认中间件类。我已经尝试过了。

Python-3.4

Django-1.10

使用VirtualEnv。

Python - 3.4
Django - 1.10
Using VirtualEnv.

我收到禁止（403）CSRF验证失败。请求已中止。在Django管理员登录屏幕上出现错误。我已经使用django 1.9版将我的网站托管在pythonanywhere.com上。

I am getting Forbidden (403) CSRF verification failed. Request aborted. error on Django admin login screen. I have hosted my site on pythonanywhere.com with django version 1.9.

• 我已经清除了浏览器cookie。所有这些。


• 我重新加载了登录屏幕。


• 在到目前为止一直为空的浏览器cookie中，为我的网站设置了一个值，其中csrf值= XPp5hAhylAkt27U4SzGPNU7w8SFBJ3RP
  


• 在响应标头中，已发送带有Cookie值= UT24544MghHLZi0IrGHQlCcpk1v0SbCy的设置Cookie code>。表单的源代码中提供了相同的值。



• 现在我输入了用户名和密码，然后单击登录按钮。


• 收到403错误CSRF验证失败。请求中止。


• 我重新检查了csrf令牌的所有值。


• 在请求标头中，CSRF cookie值= XPp5hAhylAkt27U4SzGPNU7w8SFBJ3RP
  



• 表单数据csrf值= UT24544MghHLZi0IrGHQlCcpk1v0SbCy
  

• I have cleared the browser cookies. All of them.
• I reloaded the login screen. Get request.
• In browser cookies, which were empty till now, one value has been set for my website, where csrf value is = XPp5hAhylAkt27U4SzGPNU7w8SFBJ3RP
• In response header, set cookies was send with cookies value = UT24544MghHLZi0IrGHQlCcpk1v0SbCy . Same value was available in form's source code.
• Now I entered the username and password and click on login button.
• Received the 403 error CSRF verification failed. Request aborted.
• I rechecked all the values of csrf token.
• In request header CSRF cookies values = XPp5hAhylAkt27U4SzGPNU7w8SFBJ3RP

• In form data csrf values = UT24544MghHLZi0IrGHQlCcpk1v0SbCy

我已经有'django.middleware.csrf.CsrfViewMiddleware '，在中间件类中。我清除了浏览器缓存和Cookie。甚至重新启动了系统。

I already have 'django.middleware.csrf.CsrfViewMiddleware', in middleware classes. I cleared browser cache and cookies. Even restarted the system.

我在完全正常的其他站点上使用了完全相同的代码。

I have used exactly same code on different site where it is working perfectly fine.

为什么有不同的csrf令牌值？解决此问题的方法是什么？

Why there are different csrf-token values? What is the solution to this problem?

更新1：如果我在设置中设置debug = False，则可以正常工作。

update 1: If I set debug = False in settings, it works fine. But I cant keep it as code is live.

更新2 ：经过进一步调查，我发现浏览器cookie csrftoken的价值并没有设置为在响应标头中传递的正确值。如果我从浏览器中删除了cookie，然后将其从控制台中设置为正确的值，则发布请求可以正常工作。

update 2: Upon further investigation I found out that somehow browser cookie csrftoken's value is not being set to correct value which is being passed in response header. If I delete and the cookie from browser and then set it to correct value from console, post requests work.

更新3 ：现在是同样的问题我在网络应用程序上所做的每个帖子请求或表单提交都在发生。在响应标头和源代码中发送的CSRF令牌值与在浏览器Cookie中设置的值不同。

update 3 : Now same issue is happening with every post request or form submission I am doing on my web app. CSRF token value sent in response header and source code is not same as the one being set in browser cookies.

更新4：设置CSRF_COOKIE_NAME = csrf_token也无济于事。

update 4: Setting CSRF_COOKIE_NAME = "csrf_token" also didn't helped.

推荐答案

浏览器尝试获取收藏夹图标时，设置了CSRF令牌的意外值。

The unexpected value for the CSRF token is set when the browser tries to fetch the favicon.

为收藏夹定义的URL似乎无效，显然，不存在的网址由您的默认视图处理。这会设置一个不同的CSRF cookie，但是浏览器中显示的页面仍然具有以下形式的初始CSRF令牌。

The URL you have defined for your favicon seems to be invalid, and apparently, non-existing URLs are handled by your default view. This sets a different CSRF cookie, but the page that is displayed in the browser still has the initial CSRF token in the form.

请求加载页面：

Request loading the page:

请求加载收藏图标：

Request loading the favicon:

您可以通过确保收藏夹图标的存在来解决此特定错误。

You can fix this particular error by ensuring that the favicon exists.

请注意，只要您有任何资源，此错误就会再次出现链接（例如图片）不存在，因为您的应用程序呈现了首页而不是返回404错误。

Note this this bug will come back whenever any resource you link (e.g. an image) does not exist because your app renders the homepage instead of returning a 404 error.

这篇关于响应标头和浏览器cookie中的csrf令牌值不同。 django 1.9中的csrf验证失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！