升级1.9后Django CSRF失败> 1.11 [英] Django CSRF Failure After Upgrade 1.9 > 1.11
问题描述
我刚刚将我正在开发的应用程序从1.9升级到1.11,并且在所有表单帖子中不断出现错误:
I've just upgraded an app I'm developing from 1.9 to 1.11 and am getting constant errors on all form posts:
CSRF token missing or incorrect.
所有CSRF令牌在1.9中均能正常工作。这里是视图:
All CSRF tokens were working fine in 1.9. Here is the view:
def contact(request):
subject = request.GET.get('subject', '')
contact_form = forms.ContactForm(subject=subject)
if request.POST:
contact_form = forms.ContactForm(request.POST)
if contact_form.is_valid():
new_contact = contact_form.save()
logic.send_contact_message(new_contact, request)
messages.add_message(request, messages.SUCCESS, 'Your message has been sent.')
return redirect(reverse('contact'))
template = 'journal/contact.html'
context = {
'contact_form': contact_form,
'contacts': core_models.Contacts.objects.filter(content_type=request.content_type,
object_id=request.site_type.pk)
}
return render(request, template, context)
这里是模板e:
<h4>{% trans "Contact" %}</h4>
<form method="POST">
{% include "elements/forms/errors.html" with form=contact_form %}
{% csrf_token %}
<label for="id_recipient">{% trans "Who would you like to contact?" %}</label>
<select id="id_recipient" name="recipient">
{% for contact in contacts %}<option value="{{ contact.email }}">{{ contact.name }}, {{ contact.role }}</option>{% endfor %}
</select>
{{ contact_form.sender|foundation }}
{{ contact_form.subject|foundation }}
{{ contact_form.body|foundation }}
{{ contact_form.are_you_a_robot|foundation }}
<button type="submit" class="success button">{% trans "Send Message" %}</button>
</form>
推荐答案
Django 1.10 引入了咸化CSRF令牌,这些令牌在用户每次登录时都会更改:
Django 1.10 introduced salted CSRF tokens that change every time the user logs in:
在Django 1.10中已更改:
为令牌添加了盐析,并在每次保护请求时开始对其进行更改对抗破坏攻击。
Added salting to the token and started changing it with each request to protect against BREACH attacks.
您将必须退出,然后再次登录才能生成新的含盐令牌。
You will have to log out and back in again to generate a new salted token before your forms will work.
Melvyn建议在注释中清除会话存储。这也将起作用,并且如果您有很多用户,可能是一个更好的选择。
Melvyn suggests clearing your session store in a comment. That would work too, and is probably a better option if you have many users.
您可能还必须修改中间件设置以反映 Django 1.10中引入的新样式。 旧的 MIDDLEWARE_CLASSES
设置已弃用,而推荐使用 MIDDLEWARE
。确保'django.middleware.csrf.CsrfViewMiddleware'
已包含在 MIDDLEWARE
中。如果您有自定义中间件(或者如果您正在使用使用旧式中间件的库),则必须对其进行更新。
You might also have to modify your middleware settings to reflect the new style introduced in Django 1.10. The old MIDDLEWARE_CLASSES
setting is deprecated in favour of MIDDLEWARE
. Make sure that 'django.middleware.csrf.CsrfViewMiddleware'
is included in your MIDDLEWARE
. If you have custom middleware (or if you're using libraries that use old-style middleware) it will have to be updated.
这篇关于升级1.9后Django CSRF失败> 1.11的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!