All geek questions in one place

Logging into django admin suddenly requires csrf token

I logged into the django admin console a few minutes ago. I must have changed something that caused this error when logging in as superuser:

Forbidden (403) Failed to perform CSRF check. Request aborted.

This mistake caught me on guard when I walked in all night. Why do I suddenly need a csrf token to log into the system? You might think that the sign in the form already has this. This is my admin.py:

from django.contrib import admin from accounts.models import Image, Category, UserProfile class ImageAdmin(admin.ModelAdmin): list_display = ["__unicode__", "title", "created"] admin.site.register(Image, GenericImageAdmin) class CategoryAdmin(admin.ModelAdmin): list_display = ["category"] admin.site.register(Category, CategoryAdmin) admin.site.register(UserProfile)
+11
source share
6 answers

It usually requires the csrf token to log into the administrator’s system, but usually everyone cares about you.

  1. Check your browser cookies to see if there is a csrf token
  2. Try to clear cookies and refresh
  3. Make sure you have django.middleware.csrf.CsrfViewMiddleware
  4. Make sure you use https or CSRF_COOKIE_SECURE=False (default), otherwise your csrf file exists but will not be sent. CSRF_COOKIE_SECURE cookies after changing CSRF_COOKIE_SECURE .
+13
source

Add the csrf token to your context in the login window, and in your template add a hidden div for the csrf token. Make sure you have django.middleware.csrf.CsrfViewMiddleware in the middleware section in the settings.py file.

Then add @csrf_protect to your views to do with login. It is also possible that you tried to log in with the wrong credentials - you need @csrf_protect in the exit view of your application views.py you call the appropriate uri to log in / out, etc. In urls.py. My logout just calls logout (request) and then calls HttpResponseRedirect (''), which is probably not perfect, but now it suits me for my needs.

+1
source

This error appeared for me when I did not set CSRF_COOKIE_DOMAIN in my local_ settings, but was installed in my main settings.py file.

In my case, I installed it on a local host, for example

 CSRF_COOKIE_DOMAIN = '127.0.0.1'
+1
source

As a security measure, I had CSRF_COOKIE_SECURE = True in my settings. An attempt was made to enter the admin using localhost, where there is no HTTPS, an error was denied.

Set it to False to make it work with localhost

+1
source

This can also happen if you are already logged in to your site at a URL other than the administrator. Then try logging into your admin panel in a new tab. Try opening the admin panel in another window.

0
source

Disabling CSRF validation worked for me. I know this is not as reliable as extracting CSRF middleware from your project, but it worked for me.

Here is how I did it:

Step 1. Create a new application in your project and name it middle (that's what I called it) with python manage.py startapp middle

Step 2. Open the "apps.py" file in a new application folder and make the appropriate changes so that the code looks something like this:

 from django.apps import AppConfig from django.utils.deprecation import MiddlewareMixin class MiddleConfig(AppConfig): name = 'middle' class DisableCSRF(MiddlewareMixin): def process_request(self, request): setattr(request, '_dont_enforce_csrf_checks', True)

(Note: your first call may differ depending on what you named your project)

Step 3. Remove 'django.middleware.csrf.CsrfViewMiddleware' django.middleware.csrf.CsrfViewMiddleware "from the MIDDLEWARE list of your settings.py file in your project directory and add another entry to the MIDDLEWARE list: 'middle.apps.DisableCSRF'

(Note: use the new application name instead of the middle if you named the new application with a different name)

The MIDDLEWARE list in your settings.py file should look something like this:

 MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', # 'django.middleware.csrf.CsrfViewMiddleware', 'middle.apps.DisableCSRF', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', ]

I hope this works for you guys too.

(see this post for more information on disabling CSRF validation in django: how to disable CSRF validation in Django ? )

Thank you.

0
source

Source: https://habr.com/ru/post/984974/

More articles:


All Articles