Django-403禁止CSRF验证失败 [英] Django - 403 Forbidden CSRF verification failed

查看:80
本文介绍了Django-403禁止CSRF验证失败的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我在Django中有一个用于我的网站的联系表,当我在本地对其进行测试时,它工作正常,但是现在当我尝试实时"提交联系表时,总是出现403 Forbidden CSRF验证失败.

视图:

  def联系人(请求):如果request.method =='POST':表格= ContactForm(request.POST)如果form.is_valid():cd = form.cleaned_data发送邮件(cd ['subject'],cd ['message'],cd.get('email','noreply@example.org'),['example@gmail.com'],)返回HttpResponseRedirect('/thanks/')别的:形式= ContactForm()返回render(request,'contact/contact.html',{'form':form}) 

contact.html

  {%扩展了'site_base.html'%}{%block head_title%}联系方式{%endblock%}{%格挡身体%}< h2>与我们联系</h2>< p>要向我们发送消息,请填写以下表格.{%,如果form.errors%}< p style ="color:red;">请更正以下错误{{form.errors | pluralize}}.</p>{% 万一 %}< form action =" method ="POST">{%csrf_token%}< table>{{form.as_table}}</table>< br/>< button type ="submit" value ="Submit" class ="btn btn-primary"> Submit</button></form>{%endblock%} 

设置(我认为很重要的设置):

  SESSION_COOKIE_SECURE = TrueCSRF_COOKIE_SECURE =真SESSION_EXPIRE_AT_BROWSER_CLOSE =真MIDDLEWARE_CLASSES = ["django.middleware.csrf.CsrfViewMiddleware","django.middleware.common.CommonMiddleware","django.contrib.sessions.middleware.SessionMiddleware","django.contrib.auth.middleware.AuthenticationMiddleware","django.contrib.messages.middleware.MessageMiddleware",'django.middleware.clickjacking.XFrameOptionsMiddleware',] 

尝试排除某些情况后,这就是我发现的内容.当我注释掉 SESSION_COOKIE_SECURE = TRUE CSRF_COOKIE_SECURE = TRUE SESSION_EXPIRE_AT_BROWSER_CLOSE = TRUE 时,它没有问题.

如果我只是注释掉 CSRF_COOKIE_SECURE = TRUE ,它就可以正常工作.我处理CSRF的方式似乎有些奇怪……任何帮助都很好.

解决方案

对我来说,如果您注释掉该行,该网站就不是https的网站了吗? CSRF_COOKIE_SECURE = True 根据文档

view:

def contact(request):
    if request.method == 'POST':
        form = ContactForm(request.POST)
        if form.is_valid():
            cd = form.cleaned_data
            send_mail(
                cd['subject'],
                cd['message'],
                cd.get('email', 'noreply@example.org'),
                ['example@gmail.com'],
            )
            return HttpResponseRedirect('/thanks/')
    else:
        form = ContactForm()
    return render(request, 'contact/contact.html', {'form': form})

contact.html

{% extends 'site_base.html' %}

{% block head_title %}Contact{% endblock %}

{% block body %}

      <h2>Contact Us</h2>
      <p>To send us a message, fill out the below form.</p>

    {% if form.errors %}
        <p style="color: red;">
            Please correct the error{{ form.errors|pluralize }} below.
        </p>
    {% endif %}

    <form action="" method="POST">
    {% csrf_token %}
        <table>
            {{ form.as_table }}
        </table>
        <br />
        <button type="submit" value="Submit" class="btn btn-primary">Submit</button>
    </form>    

{% endblock %}

settings (the ones I thought would be relevant):

SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
MIDDLEWARE_CLASSES = [
    "django.middleware.csrf.CsrfViewMiddleware",
    "django.middleware.common.CommonMiddleware",
    "django.contrib.sessions.middleware.SessionMiddleware",
    "django.contrib.auth.middleware.AuthenticationMiddleware",
    "django.contrib.messages.middleware.MessageMiddleware",
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

After trying to rule out some things, here's what I discovered. When I comment out SESSION_COOKIE_SECURE = TRUE and CSRF_COOKIE_SECURE = TRUE and SESSION_EXPIRE_AT_BROWSER_CLOSE = TRUE it works no problem.

If I just comment out CSRF_COOKIE_SECURE = TRUE it works fine. Something weird seems to be going on with how I'm handling CSRF... any help would be great.

解决方案

Sounds to me like the site is not https if it works when you comment out that line? CSRF_COOKIE_SECURE=True makes the csrf token only work with ssl per the docs https://docs.djangoproject.com/en/1.7/ref/settings/#csrf-cookie-secure

这篇关于Django-403禁止CSRF验证失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆