CODEWITHSUNDEEP
djangocsrfdjango-csrf
Django Asül
Django Asül

Reputation: 109

CSRF verfication failed, but only with IE9

I have set up CSRF as described in the Django docs (using Django 1.3). It works with FF and Safari, but on IE9 I get

<div id="summary">
<h1>Forbidden <span>(403)</span></h1>
<p>CSRF verification failed. Request aborted.</p>
</div>

In the response headers of the Ajax request I find

Set-Cookie  csrftoken=8db3637951243ffb591e6b2d6998ed03; expires=Fri, 14-Sep-2012 08:01:52 GMT; Max-Age=31449600; Path=/

It works in IE9 when using it in a normal Form (i.e. no Ajax involved).

I am using Django behind nginx/1.1.2.

Any hints what I am missing here?

Upvotes: 6

Views: 5319

Answers (3)

Dennis Golomazov
Dennis Golomazov

Reputation: 17339

In Django's ticket #17157 (thanks @akaihola for the link) it's stated that the problem is that Internet Explorer blocks third-party cookies by default. So you can enable third-party cookies for all sites or only for your site in browser settings. Here is how to do that in IE 7 (from this link):

  1. Click the "Tools" menu
  2. Click "Internet Options"
  3. Select the "Privacy" tab

Option 1: To enable third-party cookies for all sites

  1. Click "Advanced"
  2. Select "Override automatic cookie handling"
  3. Select the "Accept" button under "Third-party Cookies" and click "OK"

OR

Option 2: To enable third-party cookies just for Feedjit.com

  1. Click "Sites"
  2. Add "your-domain.com" and click "Allow"
  3. Click "OK"
  4. Select the "Accept" button under "Third-party Cookies" and click "OK"

Upvotes: 1

Peter
Peter

Reputation: 1798

I had the same problem, the problem for me was that I did not specify the form action attribute. IE apparantly doesn't allow that.

Upvotes: 3

akaihola
akaihola

Reputation: 26835

If your form is inside an iframe, the probable reason is IE's default policy of blocking third-party cookies. You could

Django's ticket #17157 proposes to add a note about this issue in the documentation.

Upvotes: 3

Related Questions