Hi,
We are seeing a strange issue with CSRF in Django. We are using Django
1.8.4.
Ours is an ecommerce site which has been up since an year. We have been
observing 403 CSRF errors now and then for form posts. But the issue is
intermittent and suddenly pops up. I mean the form posts work fine for
days/weeks but then suddenly the CSRF error starts showing up. On digging
further, when we check the POST request in inspect element, the CSRF shows
in the post and cookie:
Cookie:QGUserId=%220319088571507253%22; mailer_popup=no;
sessionid=si11ft0y1w6fr1ostgd9yd0yi88xpyo9; ga=GA1.3.133645024.1488272511;
jivaana_country=IN;
jivaana_last_visited_page=/product/traditional-maharastrian-earrings-green-12629/;
jivaana_last_visited_product=Traditional Maharastrian Earrings - Green;
jivaana_last_visited_image=undefined; last_session_reminder=1;
jivaana_last_visited_catalogue=/footwear/juttis/; oscar_history="[6251\054
11144\054 8724\054 17749\054 7849\054 11402]";
jivaana_product_list=[{"page":"/product/electric-daisy-11402/","name":"Blue
Juttis - Electric Daisy","image":"
http://www.jivaana.com/cache/74/d0/electric-daisy_juttis_red-pink-black-green-yellow_147937470755-74d09c587f73dc8135e005422b9e6b59.jpg"}];
cart_prod_title=Blue Juttis - Electric Daisy; cart_prod_image=
http://www.jivaana.com/cache/74/d0/electric-daisy_juttis_red-pink-black-green-yellow_147937470755-74d09c587f73dc8135e005422b9e6b59.jpg;
cart_session_reminder=1;
messages="03d4207b1d9610be355acf1ee7667642dbace557$[[\"__json_message\"\0541\05425\054\"\\n\\n\\n
\\n <strong>Blue Juttis - Electric Daisy</strong> has been added to
your cart.\\n \\n\\n\"\054\"safe
noicon\"]\054[\"__json_message\"\0541\05420\054\"\\n\\n\\n<p>\\n \\n
\\n \\n Your cart total is now
<strong>\\u00a0\\u20b94\054020</strong>\\n \\n \\n
\\n</p>\\n\\n\"\054\"safe noicon\"]]"; gat_tw=1; qg_identified=true;
csrftoken=NnjVnLA5tUW8DEQhuUx3wtZJxbIYx1ex; gat=1;
_ga=GA1.2.133645024.1488272511
view URL encoded
csrfmiddlewaretoken:NnjVnLA5tUW8DEQhuUx3wtZJxbIYx1ex
form-TOTAL_FORMS:2
form-INITIAL_FORMS:2
form-MIN_NUM_FORMS:0
form-MAX_NUM_FORMS:1000
form-0-quantity:2
form-0-id:46476
form-1-quantity:1
form-1-id:49589
But when I dump the request log in the Django server, the csrftoken cookie
is missing:
csrfmiddlewaretoken=NnjVnLA5tUW8DEQhuUx3wtZJxbIYx1ex&form-TOTAL_FORMS=2&form-INITIAL_FORMS=2&form-MIN_NUM_FORMS=0&form-MAX_NUM_FORMS=1000&form-0-quantity=2&form-0-id=46476&form-1-quantity=1&form-1-id=49589
[0m
{'jivaana_last_visited_page':
'/product/traditional-maharastrian-earrings-green-12629/',
'jivaana_last_visited_image': 'undefined', 'jivaana_country': 'IN',
'last_session_reminder': '1', '_ga': 'GA1.3.133645024.1488272511',
'mailer_popup': 'no', 'sessionid': 'si11ft0y1w6fr1ostgd9yd0yi88xpyo9',
'QGUserId': '%220319088571507253%22', 'jivaana_last_visited_product':
'Traditional', 'oscar_history': '[6251, 11144, 8724, 17749, 7849, 11402]',
'jivaana_last_visited_catalogue': '/footwear/juttis/'}
The log is getting dumped in Django Middleware, hence, not sure if Django
Strips off the csrftoken cookie from request. If Django is not stripping
off the CSRF cookie, then this is an issue with CSRF and the missing
csrftoken cookie explains the 403 forbidden error.
On clearing browser cache, the form POST starts working again.
I am not sure why the above is happening and hence, was wondering if anyone
has faced similar issue and have an answer/solution to the above. The above
issue occurs only for few users (not all) but its affecting our business.
Also, when the 403 CSRF occurs, Django throws a DEBUG page with following
content:
CSRF Verification failed. Request aborted.......You are seeing this page
because you have DEBUG=TRUE.
The above error page should not occur as in our production DEBUG is set to
False.
Would appreciate if someone could throw some light on the above issues.
Thanks.
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/93d8e49a-782a-4b14-8977-f2be9c2685a9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
![http://www.jivaana.com/cache/74/d0/electric-daisy_juttis_red-pink-black-green-yellow_147937470755-74d09c587f73dc8135e005422b9e6b59.jpg"}](http://www.jivaana.com/cache/74/d0/electric-daisy_juttis_red-pink-black-green-yellow_147937470755-74d09c587f73dc8135e005422b9e6b59.jpg"}){kind=link}
