Forbidden (403) CSRF verification failed. Request aborted

Question

I am making an app of login form but when I am running my app and click on login button the following error will occur

Forbidden (403) CSRF verification failed. Request aborted.

the code of view.py is as:

from django.template import  loader
from django.shortcuts import render_to_response
from registration.models import Registration
from django.http import HttpResponse
from django.template import RequestContext
from django.shortcuts import redirect


def view_login(request,registration_id):
   t = loader.get_template('registration/login.html') 
   try:
         registration=Registration.objects.get(pk=registration_id)
   except Registration.DoesNotExist:
         return render_to_response("login.html",{"registration_id":registration_id})

def home(request,registration_id):
    if request.method == "POST":
      username = request.POST.get('user_name')
      password = request.POST.get('password')
      user = authenticate(username=username, password=password)
      if user is not None:
        if user.is_active:
          login(request, user)
        # success
          return render('registration/main_page.html',{'registration_id':registration_id},context_instance=RequestContext(user))
        else:
         #user was not active
           return redirect('q/',context_instance=RequestContext(user))
      else:
        # not a valid user
           return redirect('q/',context_instance=RequestContext(user))
    else:
       # URL was accessed directly
           return redirect('q/',context_instance=RequestContext(user))

Answer 1

In Django ≥ 4 it is now necessary to specify CSRF_TRUSTED_ORIGINS in settings.py

CSRF_TRUSTED_ORIGINS = ['https://your-domain.com', 'https://www.your-domain.com']

See documentation

Answer 2

For those who are using Django==4.* or above, there must be an additional field in settings.py called CSRF_TRUSTED_ORIGINS=[] and add your domain here, Problem solved.

Check this latest release.

Answer 3

While it is probably not the OP's problem, I discovered that adding the verfication code from ezoic actually messed up my CSRF process. Adding the code destroyed my sites login process and probably other forms as well.

Answer 4

method: 'POST',
headers: {
              'Content-Type': 'application/json',
              "X-CSRFToken": $("[name=csrfmiddlewaretoken]").val()
         },

{% csrf_token %} => add this inside header tag in html

Answer 5

You need to add {% csrf_token %} in your form

https://docs.djangoproject.com/en/2.2/ref/csrf/

like that :

<form>
    {% csrf_token %}
    <anything_else>
</form>

Also, you have to use RequestContext(request) everytime you use render_to_response :

return render_to_response("login.html",
    {"registration_id":registration_id},
    context_instance=RequestContext(request))

And you have to import authenticate and login :

from django.contrib.auth import authenticate, login

Answer 6

Just comment 'django.middleware.csrf.CsrfViewMiddleware'

in your settings.py, which works for me:

//settings.py
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
#'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

THIS MAY HAVE SECURITY FLAWS UNLESS YOU SOMEHOW MANAGE CSRF IN ANOTHER WAY, AND IS NOT RECOMMENDED, AS YOU WILL BE SUSCEPTIABLE TO CSRF ATTACKS

Answer 7

When you have "Forbidden (403) CSRF verification failed. Request aborted" you can alternatively do:

option (2) (not preferred)

import:

from django.template.context_processors import csrf

add to context:

context = {}
context.update(csrf(request))

return:

-Django > 1.9 has "context" instead of "context_instance"

return render_to_response("login.html",
    {"registration_id":registration_id},
    context=context)

option (3) (preferred)

import:

-instead of importing "render_to_response" import "render"

from django.shortcuts import render

return:

return render(request, "login.html", context)

Apparently option 3 is preferable, because "render" is shorter than "render_to_response", especially if you need to import and add stuff. I could imagine option 2 keeps a leaner context dict, but this seems trivial (?).

For clarity:

Both solutions still need the {% csrf_token %} in your html form as mentioned above. And never turn off or comment the csrf middelware.

sources:

old Django 1.9 docs on RequestContext

Django 2 docs on the csrf processor

source explaining render is enough

Answer 8

I encountered this problem while using the book "The Definitive Guide to Django" wherein version 1.1 is used. The book does not address the need for csrf_token verification that is mandated in later versions.

To fix this issue, add:

from django.template import RequestContext

to the views.py file and this added argument for the render_to_response function:

context_instance = RequestContext(request)

Be sure to add {% csrf_token %} within the <form> tags in the template