Forbidden (403) CSRF verification failed. Request aborted

Question

I am making an app of login form but when I am running my app and click on login button the following error will occur

Forbidden (403) CSRF verification failed. Request aborted.

the code of view.py is as:

from django.template import  loader
from django.shortcuts import render_to_response
from registration.models import Registration
from django.http import HttpResponse
from django.template import RequestContext
from django.shortcuts import redirect


def view_login(request,registration_id):
   t = loader.get_template('registration/login.html') 
   try:
         registration=Registration.objects.get(pk=registration_id)
   except Registration.DoesNotExist:
         return render_to_response("login.html",{"registration_id":registration_id})

def home(request,registration_id):
    if request.method == "POST":
      username = request.POST.get('user_name')
      password = request.POST.get('password')
      user = authenticate(username=username, password=password)
      if user is not None:
        if user.is_active:
          login(request, user)
        # success
          return render('registration/main_page.html',{'registration_id':registration_id},context_instance=RequestContext(user))
        else:
         #user was not active
           return redirect('q/',context_instance=RequestContext(user))
      else:
        # not a valid user
           return redirect('q/',context_instance=RequestContext(user))
    else:
       # URL was accessed directly
           return redirect('q/',context_instance=RequestContext(user))

I was getting this error with django-allauth and didn't think the module had an issue. I later found out old code in my base.html file was breaking the form. This may help someone as none the answers here were relevant to me. https://code.djangoproject.com/ticket/28488 is where I found out that some broken unrelated code could be the cause. — Alex Winkler, Dec 21 '19 at 19:04
I've just had this csrf issue, and it was related to ezoic javascript I'd just added (ezoic being the ad company). Very hard to realise why it was an issue, but luckily it was the only change I'd made, so easy to revert. — gmcc051, Feb 25 '23 at 03:00

score 22 · Accepted Answer · edited Jun 03 '19 at 15:22

22

You need to add {% csrf_token %} in your form

https://docs.djangoproject.com/en/2.2/ref/csrf/

like that :

<form>
    {% csrf_token %}
    <anything_else>
</form>

Also, you have to use RequestContext(request) everytime you use render_to_response :

return render_to_response("login.html",
    {"registration_id":registration_id},
    context_instance=RequestContext(request))

And you have to import authenticate and login :

from django.contrib.auth import authenticate, login

edited Jun 03 '19 at 15:22

user8193706

2,387
2
8
12

answered Aug 29 '12 at 08:51

BlueMagma

2,392
1
22
46

in **home.html** or **login.html** or **both** – user786 Aug 29 '12 at 08:56
It depend, where is your form ? – BlueMagma Aug 29 '12 at 08:59
ok, I added it but still getting the error. Wheather I have to import somethong ??? – user786 Aug 29 '12 at 09:00
I think it is incorrect . `return render('registration/main_page.html',{'registration_id':registration_id},context_instance=RequestContext(user))` **Right ????** – user786 Aug 29 '12 at 09:06
1

in the doc is sayd you need to add django.middleware.csrf.CsrfViewMiddleware in your middleware – BlueMagma Aug 29 '12 at 09:07
let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/15944/discussion-between-neeraj-and-bluemagma) – user786 Aug 29 '12 at 09:10

score 17 · Answer 2 · edited May 27 '22 at 17:33

17

For those who are using Django==4.* or above, there must be an additional field in settings.py called CSRF_TRUSTED_ORIGINS=[] and add your domain here, Problem solved.

Check this latest release.

edited May 27 '22 at 17:33

Adrian Mole

49,934
160
51
83

answered May 23 '22 at 03:37

Muhammed Fayis

215
3
9

2

Thank you! This was the problem for me. How does one keep up on version changes like this, do you just make a point of reading release notes whenever they are released? Even with DEBUG=True the error wasn't at all helpful for me, it was pure luck I came across your answer. – Nathaniel Hoyt May 26 '22 at 19:08

darl1ne · Answer 3 · 2022-09-05T17:19:42.043

10

In Django ≥ 4 it is now necessary to specify CSRF_TRUSTED_ORIGINS in settings.py

CSRF_TRUSTED_ORIGINS = ['https://your-domain.com', 'https://www.your-domain.com']

See documentation

edited Sep 05 '22 at 17:19

answered Sep 05 '22 at 17:10

darl1ne

334
3
11

score 3 · Answer 4 · edited Sep 17 '18 at 03:15

3

Just comment 'django.middleware.csrf.CsrfViewMiddleware'

in your settings.py, which works for me:

//settings.py
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
#'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

THIS MAY HAVE SECURITY FLAWS UNLESS YOU SOMEHOW MANAGE CSRF IN ANOTHER WAY, AND IS NOT RECOMMENDED, AS YOU WILL BE SUSCEPTIABLE TO CSRF ATTACKS

edited Sep 17 '18 at 03:15

chris Frisina

19,086
22
87
167

answered Aug 30 '16 at 04:00

Yitong Feng

243
3
9

6

I'd never do that, it means that you expose your website to Cross Site Request Forgery attacks – unixo Apr 13 '18 at 06:18
1

It is really not a answer. a way for hidden. – NEBEZ Mar 15 '21 at 09:33

asgaines · Answer 5 · 2013-05-22T21:51:22.383

I encountered this problem while using the book "The Definitive Guide to Django" wherein version 1.1 is used. The book does not address the need for csrf_token verification that is mandated in later versions.

To fix this issue, add:

from django.template import RequestContext

to the views.py file and this added argument for the render_to_response function:

context_instance = RequestContext(request)

Be sure to add {% csrf_token %} within the <form> tags in the template

score 0 · Answer 6 · answered Jul 26 '18 at 09:00

When you have "Forbidden (403) CSRF verification failed. Request aborted" you can alternatively do:

option (2) (not preferred)

import:

from django.template.context_processors import csrf

add to context:

context = {}
context.update(csrf(request))

return:

-Django > 1.9 has "context" instead of "context_instance"

return render_to_response("login.html",
    {"registration_id":registration_id},
    context=context)

option (3) (preferred)

import:

-instead of importing "render_to_response" import "render"

from django.shortcuts import render

return:

return render(request, "login.html", context)

Apparently option 3 is preferable, because "render" is shorter than "render_to_response", especially if you need to import and add stuff. I could imagine option 2 keeps a leaner context dict, but this seems trivial (?).

For clarity:

Both solutions still need the {% csrf_token %} in your html form as mentioned above. And never turn off or comment the csrf middelware.

sources:

old Django 1.9 docs on RequestContext

Django 2 docs on the csrf processor

source explaining render is enough

score 0 · Answer 7 · answered Feb 05 '21 at 14:02

0

While it is probably not the OP's problem, I discovered that adding the verfication code from ezoic actually messed up my CSRF process. Adding the code destroyed my sites login process and probably other forms as well.

answered Feb 05 '21 at 14:02

Aarron Shaw

11

From Review: Hi, this post does not seem to provide an [answer](https://stackoverflow.com/help/how-to-answer) to the question; it is better suited as a comment. Please either edit your answer and improve it, or just post it as a comment to the other answer. – sɐunıɔןɐqɐp Feb 05 '21 at 14:57

score -1 · Answer 8 · edited Sep 04 '20 at 05:19

-1

method: 'POST',
headers: {
              'Content-Type': 'application/json',
              "X-CSRFToken": $("[name=csrfmiddlewaretoken]").val()
         },

{% csrf_token %} => add this inside header tag in html

edited Sep 04 '20 at 05:19

David Buck

3,752
35
31
35

answered Sep 04 '20 at 04:08

Saravanan

1
1

Forbidden (403) CSRF verification failed. Request aborted

8 Answers8

Linked