I have had that issue as well. It happens very infrequently for me, and I have yet to find a solution to it. My guess, at least in my situation, is that it has something to do with authentication and resetting the server while a user is filling out the form. Since a simple refresh works in my situation, I haven’t taken the time to investigate further since it works just fine otherwise. But you are right in that it shows the DEBUG page in the production environment, which seems odd. I would rather have it emailed to me. I am using Django 1.10, but I think Django 1.11 (just released) changed something regarding CSRFs.
From: [email protected] [mailto:[email protected]] On Behalf Of Web Architect Sent: Sunday, April 9, 2017 4:33 AM To: Django users Subject: Strange issue in CSRF Hi, We are seeing a strange issue with CSRF in Django. We are using Django 1.8.4. Ours is an ecommerce site which has been up since an year. We have been observing 403 CSRF errors now and then for form posts. But the issue is intermittent and suddenly pops up. I mean the form posts work fine for days/weeks but then suddenly the CSRF error starts showing up. On digging further, when we check the POST request in inspect element, the CSRF shows in the post and cookie: Cookie:QGUserId=%220319088571507253%22; mailer_popup=no; sessionid=si11ft0y1w6fr1ostgd9yd0yi88xpyo9; ga=GA1.3.133645024.1488272511; jivaana_country=IN; jivaana_last_visited_page=/product/traditional-maharastrian-earrings-green-12629/; jivaana_last_visited_product=Traditional Maharastrian Earrings - Green; jivaana_last_visited_image=undefined; last_session_reminder=1; jivaana_last_visited_catalogue=/footwear/juttis/; oscar_history="[6251\054 11144\054 8724\054 17749\054 7849\054 11402]"; jivaana_product_list=[{"page":"/product/electric-daisy-11402/","name":"Blue Juttis - Electric Daisy","image":"http://www.jivaana.com/cache/74/d0/electric-daisy_juttis_red-pink-black-green-yellow_147937470755-74d09c587f73dc8135e005422b9e6b59.jpg"}]; cart_prod_title=Blue Juttis - Electric Daisy; cart_prod_image=http://www.jivaana.com/cache/74/d0/electric-daisy_juttis_red-pink-black-green-yellow_147937470755-74d09c587f73dc8135e005422b9e6b59.jpg; cart_session_reminder=1; messages="03d4207b1d9610be355acf1ee7667642dbace557$[[\"__json_message\"\0541\05425\054\"\\n\\n\\n \\n <strong>Blue Juttis - Electric Daisy</strong> has been added to your cart.\\n \\n\\n\<file:///\\n\n\n%20 %20 \n%20 %20 %3cstrong%3eBlue%20Juttis%20-%20Electric%20Daisy%3c\strong%3e%20has%20been%20added%20to%20your%20cart.\n%20 %20 \n\n\>"\054\"safe noicon\"]\054[\"__json_message\"\0541\05420\054\"\\n\\n\\n<p>\\n \\n \\n \\n Your cart total is now <strong>\\u00a0\\u20b94\054020</strong>\\n \\n \\n \\n</p>\\n\\n\<file:///\\n\n\n%3cp%3e\n%20 %20 \n%20 %20 %20 %20 \n%20 %20 %20 %20 %20 %20 \n%20 %20 %20 %20 %20 %20 Your%20cart%20total%20is%20now%20%3cstrong%3e\u00a0\u20b94\054020%3c\strong%3e\n%20 %20 %20 %20 %20 %20 \n%20 %20 %20 %20 \n%20 %20 \n%3c\p%3e\n\n\>"\054\"safe noicon\"]]"; gat_tw=1; qg_identified=true; csrftoken=NnjVnLA5tUW8DEQhuUx3wtZJxbIYx1ex; gat=1; _ga=GA1.2.133645024.1488272511 view URL encoded csrfmiddlewaretoken:NnjVnLA5tUW8DEQhuUx3wtZJxbIYx1ex form-TOTAL_FORMS:2 form-INITIAL_FORMS:2 form-MIN_NUM_FORMS:0 form-MAX_NUM_FORMS:1000 form-0-quantity:2 form-0-id:46476 form-1-quantity:1 form-1-id:49589 But when I dump the request log in the Django server, the csrftoken cookie is missing: csrfmiddlewaretoken=NnjVnLA5tUW8DEQhuUx3wtZJxbIYx1ex&form-TOTAL_FORMS=2&form-INITIAL_FORMS=2&form-MIN_NUM_FORMS=0&form-MAX_NUM_FORMS=1000&form-0-quantity=2&form-0-id=46476&form-1-quantity=1&form-1-id=49589 [0m {'jivaana_last_visited_page': '/product/traditional-maharastrian-earrings-green-12629/', 'jivaana_last_visited_image': 'undefined', 'jivaana_country': 'IN', 'last_session_reminder': '1', '_ga': 'GA1.3.133645024.1488272511', 'mailer_popup': 'no', 'sessionid': 'si11ft0y1w6fr1ostgd9yd0yi88xpyo9', 'QGUserId': '%220319088571507253%22', 'jivaana_last_visited_product': 'Traditional', 'oscar_history': '[6251, 11144, 8724, 17749, 7849, 11402]', 'jivaana_last_visited_catalogue': '/footwear/juttis/'} The log is getting dumped in Django Middleware, hence, not sure if Django Strips off the csrftoken cookie from request. If Django is not stripping off the CSRF cookie, then this is an issue with CSRF and the missing csrftoken cookie explains the 403 forbidden error. On clearing browser cache, the form POST starts working again. I am not sure why the above is happening and hence, was wondering if anyone has faced similar issue and have an answer/solution to the above. The above issue occurs only for few users (not all) but its affecting our business. Also, when the 403 CSRF occurs, Django throws a DEBUG page with following content: CSRF Verification failed. Request aborted.......You are seeing this page because you have DEBUG=TRUE. The above error page should not occur as in our production DEBUG is set to False. Would appreciate if someone could throw some light on the above issues. Thanks. -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To post to this group, send email to [email protected]<mailto:[email protected]>. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/93d8e49a-782a-4b14-8977-f2be9c2685a9%40googlegroups.com<https://groups.google.com/d/msgid/django-users/93d8e49a-782a-4b14-8977-f2be9c2685a9%40googlegroups.com?utm_medium=email&utm_source=footer>. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/0e54b2c9c43b4a6a8350991248f61f36%40ISS1.ISS.LOCAL. For more options, visit https://groups.google.com/d/optout.
![http://www.jivaana.com/cache/74/d0/electric-daisy_juttis_red-pink-black-green-yellow_147937470755-74d09c587f73dc8135e005422b9e6b59.jpg"}](http://www.jivaana.com/cache/74/d0/electric-daisy_juttis_red-pink-black-green-yellow_147937470755-74d09c587f73dc8135e005422b9e6b59.jpg"}){kind=link}
