响应标头和浏览器 cookie 中的不同值的 csrf 令牌.django 1.9 中的 csrf 验证失败 [英] Different value of csrf token in response header and browser cookies. csrf verification failing in django 1.9

问题描述

大多数 SO 答案都要求清除 cookie 并确认中间件类.我已经试过了.

Python - 3.4
Django - 1.10
使用虚拟环境.

Python - 3.4
Django - 1.10
Using VirtualEnv.

我收到 Forbidden (403) CSRF 验证失败.请求中止. Django 管理员登录屏幕上的错误.我使用 django version 1.9 在 pythonanywhere.com 上托管了我的网站.

I am getting Forbidden (403) CSRF verification failed. Request aborted. error on Django admin login screen. I have hosted my site on pythonanywhere.com with django version 1.9.

• 我已清除浏览器 cookie.全部.
• 我重新加载了登录屏幕.获取请求.
• 在浏览器 cookie 中，到目前为止是空的，为我的网站设置了一个值，其中 csrf 值为 = XPp5hAhylAkt27U4SzGPNU7w8SFBJ3RP
• 在响应标头中，设置的 cookie 使用 cookie 值 = UT24544MghHLZi0IrGHQlCcpk1v0SbCy 发送.表单的源代码中提供了相同的值.
• 现在我输入了用户名和密码，然后点击登录按钮.
• 收到 403 错误 CSRF 验证失败.请求中止.
• 我重新检查了 csrf token 的所有值.
• 在请求标头中 CSRF cookie 值 = XPp5hAhylAkt27U4SzGPNU7w8SFBJ3RP

• 表单数据 csrf 值 = UT24544MghHLZi0IrGHQlCcpk1v0SbCy

• I have cleared the browser cookies. All of them.
• I reloaded the login screen. Get request.
• In browser cookies, which were empty till now, one value has been set for my website, where csrf value is = XPp5hAhylAkt27U4SzGPNU7w8SFBJ3RP
• In response header, set cookies was send with cookies value = UT24544MghHLZi0IrGHQlCcpk1v0SbCy . Same value was available in form's source code.
• Now I entered the username and password and click on login button.
• Received the 403 error CSRF verification failed. Request aborted.
• I rechecked all the values of csrf token.
• In request header CSRF cookies values = XPp5hAhylAkt27U4SzGPNU7w8SFBJ3RP

• In form data csrf values = UT24544MghHLZi0IrGHQlCcpk1v0SbCy

我已经在中间件类中有django.middleware.csrf.CsrfViewMiddleware".我清除了浏览器缓存和 cookie.甚至重启了系统.

I already have 'django.middleware.csrf.CsrfViewMiddleware', in middleware classes. I cleared browser cache and cookies. Even restarted the system.

我在不同的网站上使用了完全相同的代码，它工作得很好.

I have used exactly same code on different site where it is working perfectly fine.

为什么有不同的 csrf-token 值?这个问题的解决方法是什么?

Why there are different csrf-token values? What is the solution to this problem?

更新 1:如果我在设置中设置 debug = False，它工作正常.但我不能保留它，因为代码是实时的.

update 1: If I set debug = False in settings, it works fine. But I cant keep it as code is live.

更新 2:经过进一步调查，我发现浏览器 cookie csrftoken 的值未设置为响应标头中传递的正确值.如果我从浏览器中删除 cookie，然后从控制台将其设置为正确的值，则发布请求将起作用.

update 2: Upon further investigation I found out that somehow browser cookie csrftoken's value is not being set to correct value which is being passed in response header. If I delete and the cookie from browser and then set it to correct value from console, post requests work.

更新 3:现在，我在我的网络应用程序上执行的每个帖子请求或表单提交都会发生同样的问题.响应头和源代码中发送的 CSRF 令牌值与浏览器 cookie 中设置的值不同.

update 3 : Now same issue is happening with every post request or form submission I am doing on my web app. CSRF token value sent in response header and source code is not same as the one being set in browser cookies.

更新 4:设置 CSRF_COOKIE_NAME = "csrf_token" 也没有帮助.

update 4: Setting CSRF_COOKIE_NAME = "csrf_token" also didn't helped.

推荐答案

当浏览器尝试获取 favicon 时，设置了 CSRF 令牌的意外值.

The unexpected value for the CSRF token is set when the browser tries to fetch the favicon.

您为网站图标定义的 URL 似乎无效，显然，不存在的 URL 由您的默认视图处理.这会设置一个不同的 CSRF cookie，但在浏览器中显示的页面仍然具有表单中的初始 CSRF 令牌.

The URL you have defined for your favicon seems to be invalid, and apparently, non-existing URLs are handled by your default view. This sets a different CSRF cookie, but the page that is displayed in the browser still has the initial CSRF token in the form.

请求加载页面:

请求加载网站图标:

您可以通过确保网站图标存在来修复此特定错误.

You can fix this particular error by ensuring that the favicon exists.

请注意，只要您链接的任何资源(例如图像)不存在，此错误就会再次出现，因为您的应用会呈现主页而不是返回 404 错误.

Note this this bug will come back whenever any resource you link (e.g. an image) does not exist because your app renders the homepage instead of returning a 404 error.

这篇关于响应标头和浏览器 cookie 中的不同值的 csrf 令牌.django 1.9 中的 csrf 验证失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！