CSRF verification failed when in chrome incognito

Question

I recently upgraded my application from Django 1.11 to Django 2.0.

I am facing an issue when trying to logging in while in the incognito mode of Google Chrome, only the first time I get: Forbidden (403) CSRF verification failed. Request aborted.. If I resend the login post, I still getting error. But, if I go to the login page again, it works normally.

I think it is something related to cookies. My middlewares are the following:

MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
    'whitenoise.middleware.WhiteNoiseMiddleware',
]

My login view:

from django.contrib.auth.views import LoginView as AuthLoginView

class LoginView(AuthLoginView):
    template_name = 'transactions/login.html'

The template transactions/login.html:

{% extends 'base.html' %}

{% load bootstrap_tags %}

{% block content %}

    <div class="col-sm-6 col-md-4 well">

        <form action="{% url 'login' %}" method="post" class="form">
            {% csrf_token %}
            {{ form|as_bootstrap }}
            <button type="submit" class="btn btn-primary">Login</button>
        </form>

    </div>

{% endblock content %}

I assumed everything is configured correctly since this problem happens only at this scenario.

Does anybody knows what is going on?

You can not resend a form with a CSRF token in it, it's usable once only. — melwil, Jan 27 '18 at 00:03
Are you using any sort of javascript to interact with the submission of this form? — melwil, Jan 27 '18 at 00:08
Hmm, have you tried removing `{{ form|as_bootstrap }}`? This might be affecting the csrf token — Laurynas Tamulevičius, Jan 27 '18 at 00:18
Have you tried importing class without alias (i.e. `from django.contrib.auth.views import LoginView`)? — Laurynas Tamulevičius, Jan 27 '18 at 00:19
One thing I forgot to mention is that it happens only on Heroku. — thyago stall, Jan 27 '18 at 00:29
Yes, it works on localhost, also it works under the .herokuapp.com — thyago stall, Jan 27 '18 at 01:24

score 0 · Answer 1 · answered Apr 27 '19 at 08:53

When you login from regular window you get a csrf_token for your current user but when you switch to incognito mode you become anonymous user. Therefore, your old csrf_token doesn't matches and it throws a 403 forbidden error. So, it require you to logout and login again.

CSRF verification failed when in chrome incognito

1 Answers1