#28488: Django 1.11 to 1.11.4 raises CSRF verification failed if settings.DEBUG
is
False
-------------------------------------+-------------------------------------
Reporter: Ruben | Owner: nobody
Alves |
Type: Bug | Status: new
Component: CSRF | Version: 1.11
Severity: Release | Keywords: csrf failed
blocker | settings debug false production
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Hi all,
I'm using Django1.11 (and made tests also with Django1.11.4) and having
problems when submitting a form with POST method.
I'm calling the `{% csrf_token %}` inside of the form, so, this is not the
problem.
The problem when submitting the form is:
Forbidden (403)
CSRF verification failed. Request aborted.
More information is available with DEBUG=True.
Then, in order to see "more information", I've enabled `settings.DEBUG` to
`True` and submitted the form again. At this moment, the problem didn't
happens anymore.
So I've disabled `settings.DEBUG`, submitted again, and the problem was
there. Enabled `DEBUG=True` again, problem has gone.
Initially I thought that could be some error in my code, but the same
happens when I try to reset my password wit the
`django.contrib.auth.views.password_reset` view.
In my `settings.py`, I have the following changes that were made recently:
`SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')`
`SESSION_COOKIE_SECURE = True`
`CSRF_COOKIE_SECURE = True`
I use AWS (Amazon Web Service) Elastic Beanstalk with https enabled.
The worst part is that I've discovered this only on production because I
make all tests in my local machine with `DEBUG=True`, and on production,
we set `DEBUG=False`.
It's something related to the same error mentioned on Google Groups
[https://groups.google.com/forum/#!searchin/django-
users/CSRF$20verification$20failed.$20Request$20aborted.$20More$20information$20is$20available$20with$20DEBUG$3DTrue.%7Csort:relevance
/django-users/ISoJ6CwHOXQ/pirLih0jBgAJ]
--
Ticket URL: <https://code.djangoproject.com/ticket/28488>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/053.ee4697519e2c3408ea92ca856a4d5b98%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
