I am making an app of login form but when I am running my app and click on login button the following error will occur
Forbidden (403)
CSRF verification failed. Request aborted.
the code of view.py is as:
from django.template import loader
from django.shortcuts import render_to_response
from registration.models import Registration
from django.http import HttpResponse
from django.template import RequestContext
from django.shortcuts import redirect
def view_login(request,registration_id):
t = loader.get_template('registration/login.html')
try:
registration=Registration.objects.get(pk=registration_id)
except Registration.DoesNotExist:
return render_to_response("login.html",{"registration_id":registration_id})
def home(request,registration_id):
if request.method == "POST":
username = request.POST.get('user_name')
password = request.POST.get('password')
user = authenticate(username=username, password=password)
if user is not None:
if user.is_active:
login(request, user)
# success
return render('registration/main_page.html',{'registration_id':registration_id},context_instance=RequestContext(user))
else:
#user was not active
return redirect('q/',context_instance=RequestContext(user))
else:
# not a valid user
return redirect('q/',context_instance=RequestContext(user))
else:
# URL was accessed directly
return redirect('q/',context_instance=RequestContext(user))
You need to add {% csrf_token %}
in your form
https://docs.djangoproject.com/en/2.2/ref/csrf/
like that :
<form>
{% csrf_token %}
<anything_else>
</form>
Also, you have to use RequestContext(request) everytime you use render_to_response
:
return render_to_response("login.html",
{"registration_id":registration_id},
context_instance=RequestContext(request))
And you have to import authenticate and login :
from django.contrib.auth import authenticate, login
I encountered this problem while using the book "The Definitive Guide to Django" wherein version 1.1 is used. The book does not address the need for csrf_token verification that is mandated in later versions.
To fix this issue, add:
from django.template import RequestContext
to the views.py file and this added argument for the render_to_response function:
context_instance = RequestContext(request)
Be sure to add {% csrf_token %}
within the <form>
tags in the template
Just comment
'django.middleware.csrf.CsrfViewMiddleware'
in your settings.py, which works for me:
//settings.py
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
#'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
THIS MAY HAVE SECURITY FLAWS UNLESS YOU SOMEHOW MANAGE CSRF IN ANOTHER WAY, AND IS NOT RECOMMENDED, AS YOU WILL BE SUSCEPTIABLE TO CSRF ATTACKS
When you have "Forbidden (403) CSRF verification failed. Request aborted" you can alternatively do:
option (2) (not preferred)
import:
from django.template.context_processors import csrf
add to context:
context = {}
context.update(csrf(request))
return:
-Django > 1.9 has "context" instead of "context_instance"
return render_to_response("login.html",
{"registration_id":registration_id},
context=context)
option (3) (preferred)
import:
-instead of importing "render_to_response" import "render"
from django.shortcuts import render
return:
return render(request, "login.html", context)
Apparently option 3 is preferable, because "render" is shorter than "render_to_response", especially if you need to import and add stuff. I could imagine option 2 keeps a leaner context dict, but this seems trivial (?).
For clarity:
Both solutions still need the {% csrf_token %} in your html form as mentioned above. And never turn off or comment the csrf middelware.
sources:
old Django 1.9 docs on RequestContext
Django 2 docs on the csrf processor
source explaining render is enough