Django CSRF fails when used in an extended page - django

All pages are extended from a base template.
There is a form in the base template and the form has the CSRF tag. When submitting the form while on home page, all works fine. However for all other pages (also extended from same base template) the submit fails with the following error:
Forbidden (403)
CSRF verification failed. Request aborted.
Inspecting the page with Firebug, the hidden input field that holds the CSRF token is missing.

You need to do this -
In settings modify - MIDDLEWARE_CLASSES = ('django.middleware.csrf.CsrfViewMiddleware')
Next to any form in your templates, put this - <form method="post" class="login_form" name="frmlogin">{% csrf_token %}
This would solve your problem...

Related

csrf verification failed even after using csrf_exempt

Forbidden (403)
CSRF verification failed. Request aborted.
Help
Reason given for failure:
CSRF token missing or incorrect.
This error happens even after using csrf_exempt in the views.py page .How to resolve this issue?
https://i.stack.imgur.com/Y8tGL.png
Django handles csrf automatically so not need to exempt for your code just add csrf template tag in HTML Template like this...
<form action="" method="post">
{% csrf_token %}
</form>
and remove #csrf_exempt decorator which is on top of add_item
NOTE:- When you send POST request then require to add csrf token in html post form

Handling errors when using custom forms with django-allauth

I'm using django-allauth and custom login and signup forms in my application. Everything works well until a user submits an error with the login or signup form.
The error shows up but on a different page.
e.g intended login form is at the URI: /payment/e886371a-fa52-4718-b8bc-e53fe8ac2bea/
However, when there is a form error in the above page, it redirects to the default login URI: /accounts/login/ and displays the error there.
Is there a way to make sure the user is returned to the original page incase of a form error and have the error(s) displayed there?
Thanks in advance.
If you have login form on URI /payment/e886371a-fa52-4718-b8bc-e53fe8ac2bea/ and you do not want to redirect to /account/login, do not write as action of form. And create payment view which can handle authorization directly on payment URI.
<form class="login" method="POST" action="/payment/e886371a-fa52-4718-b8bc-e53fe8ac2bea/">
...
</form>
In your payment view you can extends class allautho/accounts/views/LoginView, which handles normal email/password auth.

Forms with and without csrf tokens on single page

I have a login form on every page that's a popup, and it requires the csrf token.
I also have some form views that have a form that doesn't require the csrf token.
What I've found is that even if I have the {% csrf_token %} on the login form, if the view isn't wrapped with csrf_protect() it doesn't generate the token, so when the login form is submitted, it gets a csrf missing error. OTOH, if I do wrap it, then the other form on the page that doesn't need it complains about it missing though the login form works. One form submits to the current page form view, while the form submits to a separate form view.
Is it possible to get the csrf_token to generate even without the csrf_protect being used?
I saw the csrf_exempt function but it doesn't help when wrapping the view either. Is it possible to render two view functions or wrap it within the template? I'm just using a {% include login.html %}
Thanks

Can django-comments handle multiple comment forms on the page?

I have multiple models on a Django-powered webpage that have a django.contrib.comments form rendered for each. On this page, a post from one of these forms to /comments/post/ always results in:
Forbidden (403)
CSRF verification failed. Request aborted.
If I include the same comment form code on another page where there is just one such form, it posts just fine.
Also fyi, I have included 'django.middleware.csrf.CsrfViewMiddleware' in the MIDDLEWARE_CLASSES and the {% csrf_token %} inside the comment form.
Any thoughts on this error or getting multiple django-comments forms on a page submitting correctly?

Django 1.2 CSRF and HTTP posts from Google Web Toolkit

I have a GWT web app working with Django server-side. I recently upgraded Django to 1.2, and am not able to get HTTP posts to work from my GWT app. I am getting this error:
CSRF verification failed. Request
aborted.
Reason given for failure:
CSRF token missing or incorrect.
I have enabled the csrf middlewares ('django.middleware.csrf.CsrfViewMiddleware', 'django.middleware.csrf.CsrfResponseMiddleware') which is working for contrib apps like login, but it seems as though the token is not getting added to posts made through GWT. Any ideas? Thanks in advance.
If you have checked the templates for auth.login you'll notice that a CSRF token is explicitly included inside the <form> tag.
<form method="post" action=".">
{% csrf_token %}
This is expanded into a hidden field when the page is rendered on a GET request. Something like:
<form method="post" action=".">
<div style='display:none'>
<input type='hidden' name='csrfmiddlewaretoken'
value='90064bf0e86edacfdb60595e3e2b8f23' />
</div>
This token is then passed back to the view on POST and validated.
Consequently before you can POST to a CSRF protected view you will have to first get the token from the said view.
Can you verify/ensure that you have the CSRF token handy before making a POST request to the view? Alternately you can disable CSRF protection for the view using the csrf_exempt decorator. This may not be a good idea though.
Update
This is the point of my question: I am not using django templates for my front-end and thus I cannot tag forms with the token. I am using GWT for my front-end, which is rendering the form for the post.
Are you already making a GET request to the Django view before rendering the page? In that case you can get the CSRF token by parsing the contents of the response.
If not you will have to explicitly make a GET request to the view (assuming it supports GET) and parse the response for a CSRF token. For an example see this question.