I'm fairly new to Django. Here's what I need insight on:
After updating from Django 3 to 4:
On the local dev server, no issue.
On production: CSRF 403 error on login.
There's a cookie loaded on the login page containing
csrftoken: pAFeeUI8YFXZ2PKRYxOTX1qz4Xgto42WVNi7FFvBlZDqcFLwQ2rdQvVeZBHFSpLW
(Local and Session storage are empty)
In the FORM element:
<input type="hidden" name="csrfmiddlewaretoken" value="Vz4FiujD4qkLpxCwWNJU0HCWs4u0Qf4RrMHyJf66rK0cznDbOimeTb7BnIVckANR">
Notice they don't match.
I tried manually deleting the cookie and also running ./migrate.py clearsessions
.
The first time, yesterday, it seemed that the error did not occur in an Incognito Window, but today it persists even in an incognito window, as well as a different browser.
One additional piece of information
allauth had been previously installed, but was causing infinite redirect loop on login, so removed. The login page url is /login/?next=/
.
Thanks much.
CodePudding user response:
you must add {% csrf_token %},
{% csrf_token %}
<input type="hidden" name="csrfmiddlewaretoken" value="Vz4FiujD4qkLpxCwWNJU0HCWs4u0Qf4RrMHyJf66rK0cznDbOimeTb7BnIVckANR">
i think that.
CodePudding user response:
At least in Django 4.0, you can–and possibly must–specify CSRF trusted origins in your settings.py
file:
CSRF_TRUSTED_ORIGINS = ["https://yourdomain.com", "https://www.yourdomain.com"]
Note www
and non-www
as well as no trailing /
.
At any rate, it solved the issue for me.
See Docs.