django csrf failed when posting from non-secure to secure page

Question

I am having login forms in all static pages. I have enabled csrf middleware in my project. Now when the user submits the form from http static page i get the error,

csrf verification failed

Is there a way to ensure cross site validation, even when posted from non-scure to secure page?

I want to neither add scrf exempt decorator nor change the page to https.

This is my template:

     <form action='{{login_url}}' method = 'post'>
            {% csrf_token %}

            <div class="searchbox login">
 <input autocomplete="off" id="id_fakeusername" type="text" name="fakeusername"    maxlength="100" value='Email' style="color: #727272" onfocus="$('#id_fakeusername').hide();$('#id_username').show();        

$('#id_username').focus();"  />

<input autocomplete="off" type='text' id="id_username" type="text" name="username"  maxlength="100" style="display: none" value='' onblur="if ($('#id_username').attr('value') == '') {$('#id_username').hide();$('#id_fakeusername').show();}"  />
        </div>
        <div class="searchbox login">
            <input autocomplete="off" id="id_fakepassword" type="text" name="fakepassword"  maxlength="50" style="color: #727272" value='Password' onfocus="$('#id_fakepassword').hide(); $('#id_password').show();  $('#id_password').focus();"  />

<input autocomplete="off" type='password' id="id_password" name="password" type="text"  style="display: none" value='' onblur="if ($('#id_password').attr('value') == '') {$('#id_password').hide();$('#id_fakepassword').show();}"  />
        </div>
            {% block nativewin %}
        <div class="loginbut"><input type="submit" border="0" title="Login" value="Login" /></div>
    {% endblock nativewin %}
    </form>

score 3 · Accepted Answer · answered Sep 20 '12 at 08:44

From the CsrfViewMiddleware code [1]:

            # Suppose user visits http://example.com/
            # An active network attacker (man-in-the-middle, MITM) sends a
            # POST form that targets https://example.com/detonate-bomb/ and
            # submits it via JavaScript.
            #
            # The attacker will need to provide a CSRF cookie and token, but
            # that's no problem for a MITM and the session-independent
            # nonce we're using. So the MITM can circumvent the CSRF
            # protection. This is true for any HTTP connection, but anyone
            # using HTTPS expects better! For this reason, for
            # https://example.com/ we need additional protection that treats
            # http://example.com/ as completely untrusted. Under HTTPS,
            # Barth et al. found that the Referer header is missing for
            # same-domain requests in only about 0.2% of cases or less, so
            # we can use strict Referer checking.

So I think the answer to your question is 'no', using the built-in protection!

[1] https://github.com/django/django/blob/master/django/middleware/csrf.py#L118

Thomas Kremmel · Answer 2 · 2012-09-20T07:36:09.757

0

Did you included the {{ csrf_token }} in your template?

<form action="/contact/" method="post">{% csrf_token %}
{{ form.as_p }}
<input type="submit" value="Submit" />
</form>

Did you included a RequestContext in render_to_response?

from django.template import RequestContext
from django.shortcuts import render_to_response

return render_to_response('contact.html', {'form': form},
                   context_instance=RequestContext(request))

If it still not work, follow the steps as described in the docs.

edited Sep 20 '12 at 07:36

answered Sep 20 '12 at 07:25

Thomas Kremmel

14,575
26
108
177

yes i have followed all csrf steps, i can see it work when i post from a secure page. but it dont work when posted from http to https page – Vivek S Sep 20 '12 at 08:22
Just to understand your use case.. Why you want to switch from http to https in a form submission? Either your form is presented, submitted and validated in a http provided page, or an https provided page. – Thomas Kremmel Sep 20 '12 at 08:31
my static pages are in http and login page in https. I have login fom at the top of all static pages. Now when user submits the form from static page, i have to post it the secure login page. – Vivek S Sep 20 '12 at 08:34
Ok. Here is a question that is about exactly your problem. Hope it helps: http://stackoverflow.com/questions/4078882/django-csrf-verification-failed or this one: http://stackoverflow.com/questions/6963491/django-csrf-for-both-http-and-https – Thomas Kremmel Sep 20 '12 at 08:34
yeah, i checked that question before i posted here, i dont have fast-cgi. i serve my site using apache – Vivek S Sep 20 '12 at 08:39
i think it has to do with the strict referer checking as described in point 4: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-it-works .. check also this document: http://www.w3.org/Security/wiki/Same_Origin_Policy – Thomas Kremmel Sep 20 '12 at 08:44

django csrf failed when posting from non-secure to secure page

2 Answers2