I am making an app of login form but when I am running my app and click on login button the following error will occur
Forbidden (403) CSRF verification failed. Request aborted.
the code of view.py is as:
from django.template import loader
from django.shortcuts import render_to_response
from registration.models import Registration
from django.http import HttpResponse
from django.template import RequestContext
from django.shortcuts import redirect
def view_login(request,registration_id):
t = loader.get_template('registration/login.html')
try:
registration=Registration.objects.get(pk=registration_id)
except Registration.DoesNotExist:
return render_to_response("login.html",{"registration_id":registration_id})
def home(request,registration_id):
if request.method == "POST":
username = request.POST.get('user_name')
password = request.POST.get('password')
user = authenticate(username=username, password=password)
if user is not None:
if user.is_active:
login(request, user)
# success
return render('registration/main_page.html',{'registration_id':registration_id},context_instance=RequestContext(user))
else:
#user was not active
return redirect('q/',context_instance=RequestContext(user))
else:
# not a valid user
return redirect('q/',context_instance=RequestContext(user))
else:
# URL was accessed directly
return redirect('q/',context_instance=RequestContext(user))
I encountered this problem while using the book "The Definitive Guide to Django" wherein version 1.1 is used. The book does not address the need for csrf_token verification that is mandated in later versions.
To fix this issue, add:
to the views.py file and this added argument for the render_to_response function:
Be sure to add
{% csrf_token %}
within the<form>
tags in the templateJust comment
'django.middleware.csrf.CsrfViewMiddleware'
in your settings.py, which works for me:
THIS MAY HAVE SECURITY FLAWS UNLESS YOU SOMEHOW MANAGE CSRF IN ANOTHER WAY, AND IS NOT RECOMMENDED, AS YOU WILL BE SUSCEPTIABLE TO CSRF ATTACKS
You need to add
{% csrf_token %}
in your formhttps://docs.djangoproject.com/en/2.2/ref/csrf/
like that :
Also, you have to use RequestContext(request) everytime you use
render_to_response
:And you have to import authenticate and login :
When you have "Forbidden (403) CSRF verification failed. Request aborted" you can alternatively do:
option (2) (not preferred)
import:
add to context:
return:
-Django > 1.9 has "context" instead of "context_instance"
option (3) (preferred)
import:
-instead of importing "render_to_response" import "render"
return:
Apparently option 3 is preferable, because "render" is shorter than "render_to_response", especially if you need to import and add stuff. I could imagine option 2 keeps a leaner context dict, but this seems trivial (?).
For clarity:
Both solutions still need the {% csrf_token %} in your html form as mentioned above. And never turn off or comment the csrf middelware.
sources:
old Django 1.9 docs on RequestContext
Django 2 docs on the csrf processor
source explaining render is enough