Django-403禁止CSRF验证失败 [英] Django - 403 Forbidden CSRF verification failed
问题描述
我在Django中有一个用于我的网站的联系表,当我在本地对其进行测试时,它工作正常,但是现在当我尝试实时"提交联系表时,总是出现403 Forbidden CSRF验证失败.>
视图:
def联系人(请求):如果request.method =='POST':表格= ContactForm(request.POST)如果form.is_valid():cd = form.cleaned_data发送邮件(cd ['subject'],cd ['message'],cd.get('email','noreply@example.org'),['example@gmail.com'],)返回HttpResponseRedirect('/thanks/')别的:形式= ContactForm()返回render(request,'contact/contact.html',{'form':form})
contact.html
{%扩展了'site_base.html'%}{%block head_title%}联系方式{%endblock%}{%格挡身体%}< h2>与我们联系</h2>< p>要向我们发送消息,请填写以下表格.{%,如果form.errors%}< p style ="color:red;">请更正以下错误{{form.errors | pluralize}}.</p>{% 万一 %}< form action =" method ="POST">{%csrf_token%}< table>{{form.as_table}}</table>< br/>< button type ="submit" value ="Submit" class ="btn btn-primary"> Submit</button></form>{%endblock%}
设置(我认为很重要的设置):
SESSION_COOKIE_SECURE = TrueCSRF_COOKIE_SECURE =真SESSION_EXPIRE_AT_BROWSER_CLOSE =真MIDDLEWARE_CLASSES = ["django.middleware.csrf.CsrfViewMiddleware","django.middleware.common.CommonMiddleware","django.contrib.sessions.middleware.SessionMiddleware","django.contrib.auth.middleware.AuthenticationMiddleware","django.contrib.messages.middleware.MessageMiddleware",'django.middleware.clickjacking.XFrameOptionsMiddleware',]
尝试排除某些情况后,这就是我发现的内容.当我注释掉 SESSION_COOKIE_SECURE = TRUE
和 CSRF_COOKIE_SECURE = TRUE
和 SESSION_EXPIRE_AT_BROWSER_CLOSE = TRUE
时,它没有问题.
如果我只是注释掉 CSRF_COOKIE_SECURE = TRUE
,它就可以正常工作.我处理CSRF的方式似乎有些奇怪……任何帮助都很好.
对我来说,如果您注释掉该行,该网站就不是https的网站了吗? view: contact.html settings (the ones I thought would be relevant): After trying to rule out some things, here's what I discovered. When I comment out If I just comment out Sounds to me like the site is not https if it works when you comment out that line? 这篇关于Django-403禁止CSRF验证失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋! CSRF_COOKIE_SECURE = True
根据文档
def contact(request):
if request.method == 'POST':
form = ContactForm(request.POST)
if form.is_valid():
cd = form.cleaned_data
send_mail(
cd['subject'],
cd['message'],
cd.get('email', 'noreply@example.org'),
['example@gmail.com'],
)
return HttpResponseRedirect('/thanks/')
else:
form = ContactForm()
return render(request, 'contact/contact.html', {'form': form})
{% extends 'site_base.html' %}
{% block head_title %}Contact{% endblock %}
{% block body %}
<h2>Contact Us</h2>
<p>To send us a message, fill out the below form.</p>
{% if form.errors %}
<p style="color: red;">
Please correct the error{{ form.errors|pluralize }} below.
</p>
{% endif %}
<form action="" method="POST">
{% csrf_token %}
<table>
{{ form.as_table }}
</table>
<br />
<button type="submit" value="Submit" class="btn btn-primary">Submit</button>
</form>
{% endblock %}
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
MIDDLEWARE_CLASSES = [
"django.middleware.csrf.CsrfViewMiddleware",
"django.middleware.common.CommonMiddleware",
"django.contrib.sessions.middleware.SessionMiddleware",
"django.contrib.auth.middleware.AuthenticationMiddleware",
"django.contrib.messages.middleware.MessageMiddleware",
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
SESSION_COOKIE_SECURE = TRUE
and CSRF_COOKIE_SECURE = TRUE
and SESSION_EXPIRE_AT_BROWSER_CLOSE = TRUE
it works no problem.CSRF_COOKIE_SECURE = TRUE
it works fine. Something weird seems to be going on with how I'm handling CSRF... any help would be great.CSRF_COOKIE_SECURE=True
makes the csrf token only work with ssl per the docs https://docs.djangoproject.com/en/1.7/ref/settings/#csrf-cookie-secure