I'm fairly new to Django. Here's what I need insight on:

After updating from Django 3 to 4:

On the local dev server, no issue.

On production: CSRF 403 error on login.

There's a cookie loaded on the login page containing

csrftoken: pAFeeUI8YFXZ2PKRYxOTX1qz4Xgto42WVNi7FFvBlZDqcFLwQ2rdQvVeZBHFSpLW

(Local and Session storage are empty)

In the FORM element:

<input type="hidden" name="csrfmiddlewaretoken" value="Vz4FiujD4qkLpxCwWNJU0HCWs4u0Qf4RrMHyJf66rK0cznDbOimeTb7BnIVckANR">

Notice they don't match.

I tried manually deleting the cookie and also running ./migrate.py clearsessions.

The first time, yesterday, it seemed that the error did not occur in an Incognito Window, but today it persists even in an incognito window, as well as a different browser.

One additional piece of information

allauth had been previously installed, but was causing infinite redirect loop on login, so removed. The login page url is /login/?next=/.

Thanks much.

CodePudding user response：

you must add {% csrf_token %},

{% csrf_token %}
<input type="hidden" name="csrfmiddlewaretoken" value="Vz4FiujD4qkLpxCwWNJU0HCWs4u0Qf4RrMHyJf66rK0cznDbOimeTb7BnIVckANR">

i think that.

CodePudding user response：

At least in Django 4.0, you can–and possibly must–specify CSRF trusted origins in your settings.py file:

CSRF_TRUSTED_ORIGINS = ["https://yourdomain.com", "https://www.yourdomain.com"]

Note www and non-www as well as no trailing /.

At any rate, it solved the issue for me.

See Docs.