I am running Django 1.3 with Apache and mod_wsgi. I followed these
instructions, https://docs.djangoproject.com/en/1.3/howto/deployment/modwsgi/
to display a simple page, which contains a form, and which sends the
data back via POST.
Everything is fine with GET requests. However, when I do POST, I get
an error: Forbidden (403), "CSRF token missing or incorrect".
The django.middleware.csrf.CsrfViewMiddleware component is added to
the MIDDLEWARE_CLASSES list. The html form contains the {% csrf_token
%} tag. I can verify that in the form sent on GET, this tag is
replaced with the hidden input field:
<input type='hidden' name='csrfmiddlewaretoken'
value='m4zDfr2n32yfberwrVuxylniJFXAs' />
I also use RequestContext in the django views code.
When the form is POSTed back, the CsrfViewMiddleware expects to find a
cookie with a specific name, and if found, it sets the csrf_token
variable:
csrf_token =
_sanitize_token( request.COOKIES[settings.CSRF_COOKIE_NAME])
Then, for the POST request, it expects to find a specific data inside
request.POST:
if request.method == "POST":
request_csrf_token =
request.POST.get('csrfmiddlewaretoken', '')
The error I am seeing happens when these two values are not equal.
Indeed, in my case, the csrf_token is set to the value above, and the
request_csrf_token is empty. Moreover, request.POST comes completely
empty when it reaches the CsrfViewMiddleware filter. It is known that
mod_wsgi sends POST data in request.META['wsgi.input'], which somehow
needs to be parsed.
Django documentation advises against accessing POST data in the
middleware (something breaks down the road), with CsrfViewMiddleware
being an exception. But even if I stick another custom component just
before CsrfViewMiddleware in the MIDDLEWARE_CLASSES list, which would
read and parse the request.META['wsgi.input'] data, I will not be able
to pass the value to CsrfViewMiddleware via POST because it is read
only.
So, my question is, how this is supposed to work? What am I missing?
Thanks.
Konstantin.
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/django-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
