CSRF 验证失败.请求中止.在 Django [英] CSRF verification failed. Request aborted. on django
问题描述
我正在关注 Django 1.3 Web 开发.对于登录,我收到以下错误
I am following Django 1.3 Web Development. and for logins, i am getting the following error
Forbidden (403)
CSRF verification failed. Request aborted.
Help
Reason given for failure:
CSRF token missing or incorrect.
这是我的 settings.py 包含的应用程序.书上说的应该是这样.
This is my settings.py Included APPS. It is exactly how the book says it should be.
INSTALLED_APPS = (
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.sites',
'django.contrib.messages',
'django.contrib.staticfiles',
# Uncomment the next line to enable the admin:
'django.contrib.admin',
# Uncomment the next line to enable admin documentation:
# 'django.contrib.admindocs',
'djangocricket.Cricket',
'djangocricket.cms'
)
这本书说,它应该包含 django.contrib.auth.views.login .. 我将它包含在
The book says, it should contain, django.contrib.auth.views.login .. and i am including it in
urlpatterns = patterns('',
# Examples:
url(r'^$', 'djangocricket.Cricket.views.index', name='default'),
url(r'^user/(w+)/$', 'djangocricket.Cricket.views.user_home', name='user home'),
url(r'^login/$', 'django.contrib.auth.views.login'),
# url(r'^djangocricket/', include('djangocricket.foo.urls')),
# Uncomment the admin/doc line below to enable admin documentation:
#url(r'^admin/doc/', include('django.contrib.admindocs.urls')),
# Uncomment the next line to enable the admin:
url(r'^news/', 'djangocricket.cms.views.index', name='index'),
#url(r'^news/(?P<slug>[^.]+).html', 'djangocricket.cms.views.detail', name='get_single_news_item'),
url(r'^admin/', include(admin.site.urls)),
)
和我的 registration/login.html ... 从书中复制粘贴.应该可以.
and my registration/login.html ... copy pasted from the book. it should do.
<html>
<head>
<title>Django Bookmarks - User Login</title>
</head>
<h1>User Login</h1>
{% if form.errors %}
<p>Your username and password didn't match.
Please try again.</p>
{% endif %}
<form method="post" action=".">
<p><label for="id_username">Username:</label>
{{ form.username }}</p>
<p><label for="id_password">Password:</label>
{{ form.password }}</p>
<input type="hidden" name="next" value="/" />
<input type="submit" value="login" />
</form>
</body>
</html>
我错过了什么?
推荐答案
您需要添加 {% csrf_token %} 模板标签作为 form 元素的子元素在您的 Django 模板中.
You need to add the {% csrf_token %} template tag as a child of the form element in your Django template.
这样,模板将渲染一个隐藏元素,其值设置为 CSRF 令牌.当 Django 服务器收到表单请求时,Django 将验证令牌是否与表单中呈现的值匹配.这是确保 POST 请求(即数据更改请求)源自真实的客户端会话所必需的.
This way, the template will render a hidden element with the value set to the CSRF token. When the Django server receives the form request, Django will verify that the token matches the value that was rendered in the form. This is necessary to ensure that POST requests (i.e. data-altering requests) originate from an authentic client session.
有关更多信息,请查看 Django 文档:https://docs.djangoproject.com/en/dev/ref/csrf/
For more info, check the Django documentation at: https://docs.djangoproject.com/en/dev/ref/csrf/
以下是跨站点请求伪造攻击的概述:https://www.owasp.org/index.php/CSRF
Here is an overview of the Cross-Site Request Forgery attack: https://www.owasp.org/index.php/CSRF
这篇关于CSRF 验证失败.请求中止.在 Django的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
