I am following Django 1.3 Web Development. and for logins, i am getting the following error
我关注Django 1.3 Web开发。对于登录,我将得到以下错误
Forbidden (403)
CSRF verification failed. Request aborted.
Help
Reason given for failure:
CSRF token missing or incorrect.
This is my settings.py Included APPS. It is exactly how the book says it should be.
这是我的设置。py包含应用程序。这本书就是这么说的。
INSTALLED_APPS = (
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.sites',
'django.contrib.messages',
'django.contrib.staticfiles',
# Uncomment the next line to enable the admin:
'django.contrib.admin',
# Uncomment the next line to enable admin documentation:
# 'django.contrib.admindocs',
'djangocricket.Cricket',
'djangocricket.cms'
)
The book says, it should contain, django.contrib.auth.views.login .. and i am including it in
这本书说,它应该包含,django.com。登录. .我把它包括在内
urlpatterns = patterns('',
# Examples:
url(r'^$', 'djangocricket.Cricket.views.index', name='default'),
url(r'^user/(\w+)/$', 'djangocricket.Cricket.views.user_home', name='user home'),
url(r'^login/$', 'django.contrib.auth.views.login'),
# url(r'^djangocricket/', include('djangocricket.foo.urls')),
# Uncomment the admin/doc line below to enable admin documentation:
#url(r'^admin/doc/', include('django.contrib.admindocs.urls')),
# Uncomment the next line to enable the admin:
url(r'^news/', 'djangocricket.cms.views.index', name='index'),
#url(r'^news/(?P<slug>[^\.]+).html', 'djangocricket.cms.views.detail', name='get_single_news_item'),
url(r'^admin/', include(admin.site.urls)),
)
and my registration/login.html ... copy pasted from the book. it should do.
我的注册/登录。html……复制粘贴在书上的内容。它应该做的。
<html>
<head>
<title>Django Bookmarks - User Login</title>
</head>
<h1>User Login</h1>
{% if form.errors %}
<p>Your username and password didn't match.
Please try again.</p>
{% endif %}
<form method="post" action=".">
<p><label for="id_username">Username:</label>
{{ form.username }}</p>
<p><label for="id_password">Password:</label>
{{ form.password }}</p>
<input type="hidden" name="next" value="/" />
<input type="submit" value="login" />
</form>
</body>
</html>
what am i missing?
我缺少什么?
5 个解决方案
#1
53
You need to add the {% csrf_token %} template tag as a child of the form element in your Django template.
您需要将{% csrf_token %}模板标记添加为Django模板中的表单元素的子元素。
This way, the template will render a hidden element with the value set to the CSRF token. When the Django server receives the form request, Django will verify that the token matches the value that was rendered in the form. This is necessary to ensure that POST requests (i.e. data-altering requests) originate from an authentic client session.
这样,模板将呈现一个隐藏元素,其值设置为CSRF令牌。当Django服务器收到表单请求时,Django将验证该令牌是否与表单中呈现的值相匹配。这对于确保POST请求(即数据更改请求)起源于真实的客户端会话是必要的。
For more info, check the Django documentation at: https://docs.djangoproject.com/en/dev/ref/csrf/
要了解更多信息,请查看Django文档:https://docs.djangoproject.com/en/dev/ref/csrf/
Here is an overview of the Cross-Site Request Forgery attack: https://www.owasp.org/index.php/CSRF
以下是跨站点请求伪造攻击的概述:https://www.owasp.org/index.php/CSRF
#2
7
If you use csrf_token template tag but not change anything, check CSRF_COOKIE_DOMAIN setting. You should set None to it on development environment.
如果您使用的是csrf_token模板标签,但没有更改任何内容,请检查CSRF_COOKIE_DOMAIN设置。您不应该在开发环境上设置it。
#3
6
I had the same problem. I solved this problem when i added the {% csrf_token %}. Finally my code is this:
我也有同样的问题。我在添加{% csrf_token %}时解决了这个问题。最后,我的代码是:
<form id='formulario2' method='post' action='>
<h3>Enter:</h3>
{% csrf_token %}
<input id="id_mesaje" name="mesaje" type="email" placeholder="E-mail"/>
<input type='submit' name="boton2" value='Suscribete' style="display:inline-block;background-color: #80e174; "/>
</form>
#4
4
Just wanted give additional info on the topic. If it ever happens to you and you are sure that the token is injected in the form and the view functions are handling everything properly but the problem persists. Make sure that there is no javascript code disabling the input fields. Happened to me, after couple of hours of debugging, finally realized that.
我只是想提供更多关于这个话题的信息。如果它发生在您身上,并且您确信以表单的形式注入了令牌,并且视图函数正在正确地处理一切,但是问题仍然存在。确保没有javascript代码禁用输入字段。经过几个小时的调试,我终于意识到这一点。
<input type="hidden" name="csrfmiddlewaretoken" value="pHK2CZzBB323BM2Nq7DE2sxnQoBG1jPl" disabled="">
#5
0
Hi simply use {% csrf_token %} inside your form.This worked out for me. So why do we use the Cross-site requested forgery ? Well, the answer is pretty simple, it just added another security layer to your web page, whereby any malicious user cannot validate a request using a wrong token.
Hi只是在表单中使用{% csrf_token %}。这对我来说是行得通的。那么我们为什么要使用跨站点请求的伪造文件呢?嗯,答案很简单,它只是在你的网页上添加了另一个安全层,任何恶意用户都不能使用错误的标记来验证请求。
#1
53
You need to add the {% csrf_token %} template tag as a child of the form element in your Django template.
您需要将{% csrf_token %}模板标记添加为Django模板中的表单元素的子元素。
This way, the template will render a hidden element with the value set to the CSRF token. When the Django server receives the form request, Django will verify that the token matches the value that was rendered in the form. This is necessary to ensure that POST requests (i.e. data-altering requests) originate from an authentic client session.
这样,模板将呈现一个隐藏元素,其值设置为CSRF令牌。当Django服务器收到表单请求时,Django将验证该令牌是否与表单中呈现的值相匹配。这对于确保POST请求(即数据更改请求)起源于真实的客户端会话是必要的。
For more info, check the Django documentation at: https://docs.djangoproject.com/en/dev/ref/csrf/
要了解更多信息,请查看Django文档:https://docs.djangoproject.com/en/dev/ref/csrf/
Here is an overview of the Cross-Site Request Forgery attack: https://www.owasp.org/index.php/CSRF
以下是跨站点请求伪造攻击的概述:https://www.owasp.org/index.php/CSRF
#2
7
If you use csrf_token template tag but not change anything, check CSRF_COOKIE_DOMAIN setting. You should set None to it on development environment.
如果您使用的是csrf_token模板标签,但没有更改任何内容,请检查CSRF_COOKIE_DOMAIN设置。您不应该在开发环境上设置it。
#3
6
I had the same problem. I solved this problem when i added the {% csrf_token %}. Finally my code is this:
我也有同样的问题。我在添加{% csrf_token %}时解决了这个问题。最后,我的代码是:
<form id='formulario2' method='post' action='>
<h3>Enter:</h3>
{% csrf_token %}
<input id="id_mesaje" name="mesaje" type="email" placeholder="E-mail"/>
<input type='submit' name="boton2" value='Suscribete' style="display:inline-block;background-color: #80e174; "/>
</form>
#4
4
Just wanted give additional info on the topic. If it ever happens to you and you are sure that the token is injected in the form and the view functions are handling everything properly but the problem persists. Make sure that there is no javascript code disabling the input fields. Happened to me, after couple of hours of debugging, finally realized that.
我只是想提供更多关于这个话题的信息。如果它发生在您身上,并且您确信以表单的形式注入了令牌,并且视图函数正在正确地处理一切,但是问题仍然存在。确保没有javascript代码禁用输入字段。经过几个小时的调试,我终于意识到这一点。
<input type="hidden" name="csrfmiddlewaretoken" value="pHK2CZzBB323BM2Nq7DE2sxnQoBG1jPl" disabled="">
#5
0
Hi simply use {% csrf_token %} inside your form.This worked out for me. So why do we use the Cross-site requested forgery ? Well, the answer is pretty simple, it just added another security layer to your web page, whereby any malicious user cannot validate a request using a wrong token.
Hi只是在表单中使用{% csrf_token %}。这对我来说是行得通的。那么我们为什么要使用跨站点请求的伪造文件呢?嗯,答案很简单,它只是在你的网页上添加了另一个安全层,任何恶意用户都不能使用错误的标记来验证请求。