I have a Django 1.2.5 (stable release) site that is being developed and tested on a Ubuntu 10.10 machine. The dev box is on a LAN with some Windows machines that need to be able to view and test the site as well. So far, it is just the admin that I am trying to share.
The site works great on the dev box and can be run on 127.0.0.1:8080/admin or 192.168.17.165:8080/admin (the dev box's LAN IP) when starting the development server with the commands ./manage.py runserver and ./manage.py runserver 192.168.17.165:8080 respectively. However, when the windows machine tries to reach the server at 192.168.17.165:8080/admin the admin login page loads just fine, so things are almost set up correctly, but when the verified username and password are entered and the submit button is pressed, the post fails and the following error is returned:
Forbidden (403) CSRF verification failed. Request aborted.
Reason given for failure:
No CSRF or session cookie.
(very similar to @thomallen's post)
Here are some things that I have already checked that don't seem to have any effect:
I know that the login.html template has the {% csrf_token %} token added. When I view the source of the page, the tag
{% block content %}
{% if error_message %}
<p class="errornote">{{ error_message }}</p>
{% endif %}
<div id="content-main">
<form action="{{ app_path }}" method="post" id="login-form">{% csrf_token %}
<div class="form-row">
<label for="id_username">{% trans 'Username:' %}</label> <input type="text" name="username" id="id_username" />
</div>
is present. (stock admin login.html)
I have messed with the order of all the Middleware lines as seen here http://josh.gourneau.com/blog/2010/02/17/django-12-csrf-verification-failed/. Nothing. Here is what I have:
MIDDLEWARE_CLASSES = (
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.middleware.csrf.CsrfResponseMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware', )
I thought maybe I should mess with these but it didn't seem to help
SESSION_COOKIE_DOMAIN = '192.168.17.165'
CSRF_COOKIE_DOMAIN = '192.168.17.165'
Cleared out all other cookies and web history. Turned off firewall.
My current suspicion: On the dev box (the one that works), Firefox shows 2 cookies present, sessionid and csrftoken. The windows boxes do not seem to be getting these tokens. I looked into the HTTP headers using the Firefox Live HTTP headers plugin on both machines. The linux box (same as server) gets:
Set-Cookie: csrftoken=83bae579460e9d123d9d904f4e2ef4d5; Max-Age=31449600; Path=/
Set-Cookie: sessionid=ec2b472837318347f6e6c8243f9e开发者_JAVA百科0afd; expires=Sat, 02-Apr-2011 04:29:46 GMT; Max-Age=1209600; Path=/
The windows box gets very similar info, but the Max-Age of the cookie is set to 0 (Max-Age=0). After this, the windows machines don't store the cookies. This apparently kills the session immediately according to ietf.org/rfc/rfc2109.txt. I did try setting SESSION_COOKIE_AGE to 10000 but it didn't take.
What do I need to do to get the stock Django development server to send valid cookies to a remote machine? I can't be the only one...
Other similar stackoverflow posts and links that seemed promising but didn't work: Why is Django admin login giving me 403 CSRF error? Django outputs CSRF token as object instead of value
I have read all the documentation and had a couple people help me look at it and I have no clue what could be causing this. I am sure there are ways to disable CSRF as a workaround, but shouldn't this be working?
It turned out to be a secondary piece of software that was not turned off. CA Anti Virus had a separate process running that was blocking cookies after the fact.
精彩评论