升级1.9后Django CSRF失败> 1.11 [英] Django CSRF Failure After Upgrade 1.9 > 1.11

问题描述

我刚刚将我正在开发的应用程序从1.9升级到1.11，并且在所有表单帖子中不断出现错误：

I've just upgraded an app I'm developing from 1.9 to 1.11 and am getting constant errors on all form posts:

CSRF token missing or incorrect.

所有CSRF令牌在1.9中均能正常工作。这里是视图：

All CSRF tokens were working fine in 1.9. Here is the view:

def contact(request):
    subject = request.GET.get('subject', '')
    contact_form = forms.ContactForm(subject=subject)

    if request.POST:
        contact_form = forms.ContactForm(request.POST)

        if contact_form.is_valid():
            new_contact = contact_form.save()
            logic.send_contact_message(new_contact, request)
            messages.add_message(request, messages.SUCCESS, 'Your message has been sent.')
            return redirect(reverse('contact'))

    template = 'journal/contact.html'
    context = {
        'contact_form': contact_form,
        'contacts': core_models.Contacts.objects.filter(content_type=request.content_type,
                                                    object_id=request.site_type.pk)
    }

    return render(request, template, context)

这里是模板e：

            <h4>{% trans "Contact" %}</h4>
            <form method="POST">
                {% include "elements/forms/errors.html" with form=contact_form %}
                {% csrf_token %}
                <label for="id_recipient">{% trans "Who would you like to contact?" %}</label>
                <select id="id_recipient" name="recipient">
                    {% for contact in contacts %}<option value="{{ contact.email }}">{{ contact.name }}, {{ contact.role }}</option>{% endfor %}
                </select>
                {{ contact_form.sender|foundation }}
                {{ contact_form.subject|foundation }}
                {{ contact_form.body|foundation }}
                {{ contact_form.are_you_a_robot|foundation }}
                <button type="submit" class="success button">{% trans "Send Message" %}</button>
            </form>

推荐答案

Django 1.10 引入了咸化CSRF令牌，这些令牌在用户每次登录时都会更改：

Django 1.10 introduced salted CSRF tokens that change every time the user logs in:

在Django 1.10中已更改：

为令牌添加了盐析，并在每次保护请求时开始对其进行更改对抗破坏攻击。

Added salting to the token and started changing it with each request to protect against BREACH attacks.

您将必须退出，然后再次登录才能生成新的含盐令牌。

You will have to log out and back in again to generate a new salted token before your forms will work.

Melvyn建议在注释中清除会话存储。这也将起作用，并且如果您有很多用户，可能是一个更好的选择。

Melvyn suggests clearing your session store in a comment. That would work too, and is probably a better option if you have many users.

您可能还必须修改中间件设置以反映 Django 1.10中引入的新样式。 旧的 MIDDLEWARE_CLASSES 设置已弃用，而推荐使用 MIDDLEWARE 。确保'django.middleware.csrf.CsrfViewMiddleware'已包含在 MIDDLEWARE 中。如果您有自定义中间件（或者如果您正在使用使用旧式中间件的库），则必须对其进行更新。

You might also have to modify your middleware settings to reflect the new style introduced in Django 1.10. The old MIDDLEWARE_CLASSES setting is deprecated in favour of MIDDLEWARE. Make sure that 'django.middleware.csrf.CsrfViewMiddleware' is included in your MIDDLEWARE. If you have custom middleware (or if you're using libraries that use old-style middleware) it will have to be updated.

这篇关于升级1.9后Django CSRF失败> 1.11的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！