Reputation: 51
Different csrfmiddlewaretoken in form and csrfotken in cookie
I have a simple form in which I am using a csrfmiddlewaretoken in django as:
<form>
{% csrf_token %}
</form>
On page load both the csrfmiddlewaretoken in form and csrftoken in cookie are same but when I refresh the page using ctrl + F5, the csrftoken in cookie changes but the csrfmiddlewaretoken in the form remains same, which leads to the future POST AJAX request fail.
What can be the reason of this ?
Upvotes: 4
Views: 999
Answers (2)
Reputation: 21
I think your Django version is 1.10 or 1.11, because after 1.9, there are some news in csrf.
To protect against BREACH attacks, the CSRF protection mechanism now changes the form token value on every request (while keeping an invariant secret which can be used to validate the different tokens).
Upvotes: 2
Reputation: 457
- Are you using cache?
- Have you tried to add
@csrf_protectdecorator to your method responsible for generating HTML? - Are you doing any manual manipulation with csrf token in your views?
Some code snippets of your views and forms would be useful, it's wild guessing without them.
Upvotes: 0
Related Questions
- Why do we need both the csrftoken cookie and the HTML form's hidden input's csrfmiddlewaretoken value?
- What's the relationship between csrfmiddlewaretoken and csrftoken?
- django no csrftoken in cookie
- Django csrf_token works in one form but not in other
- Django - dealing with multiple CSRF tokens in the same template (ajax and form) Forbidden (CSRF token missing or incorrect.)
- Why csrftoken cookie works?
- Django Form csrf_token
- Django Ajax Request still results to CSRF Token Missing or Incorrect
- Different value of csrf token in response header and browser cookies. csrf verification failing in django 1.9
- Ajax POST with csrfmiddlewaretoken and csrftoken cookie set still gets django 403 Forbidden