#28488: Django 1.11 to 1.11.4 raises CSRF verification failed if settings.DEBUG
is
False
-------------------------------------+-------------------------------------
Reporter: Ruben | Owner: nobody
Alves |
Type: Bug | Status: new
Component: CSRF | Version: 1.11
Severity: Release | Keywords: csrf failed
blocker | settings debug false production
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Hi all,
I'm using Django1.11 (and made tests also with Django1.11.4) and having
problems when submitting a form with POST method.
I'm calling the `{% csrf_token %}` inside of the form, so, this is not the
problem.
The problem when submitting the form is:
Forbidden (403)
CSRF verification failed. Request aborted.
More information is available with DEBUG=True.
Then, in order to see "more information", I've enabled `settings.DEBUG` to
`True` and submitted the form again. At this moment, the problem didn't
happens anymore.
So I've disabled `settings.DEBUG`, submitted again, and the problem was
there. Enabled `DEBUG=True` again, problem has gone.
Initially I thought that could be some error in my code, but the same
happens when I try to reset my password wit the
`django.contrib.auth.views.password_reset` view.
In my `settings.py`, I have the following changes that were made recently:
`SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')`
`SESSION_COOKIE_SECURE = True`
`CSRF_COOKIE_SECURE = True`
I use AWS (Amazon Web Service) Elastic Beanstalk with https enabled.
The worst part is that I've discovered this only on production because I
make all tests in my local machine with `DEBUG=True`, and on production,
we set `DEBUG=False`.
It's something related to the same error mentioned on Google Groups
[https://groups.google.com/forum/#!searchin/django-
users/CSRF$20verification$20failed.$20Request$20aborted.$20More$20information$20is$20available$20with$20DEBUG$3DTrue.%7Csort:relevance
/django-users/ISoJ6CwHOXQ/pirLih0jBgAJ]
--
Ticket URL: <https://code.djangoproject.com/ticket/28488>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/053.ee4697519e2c3408ea92ca856a4d5b98%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
