#24280: CSRF cookie error only happening with Chrome.
---------------------------------+--------------------------
Reporter: jkapple | Owner: nobody
Type: Bug | Status: new
Component: CSRF | Version: 1.6
Severity: Release blocker | Keywords: CSRF, chrome
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+--------------------------
I have a site that is running Django 1.6.10. Recently some of our admins
had trouble logging in and were getting the CSRF 403 error page. They had
to delete all their cookies for the site to be able to login again. This
led me to wonder if it was more widespread, since the CSRF error page
doesn't get logged. I enabled logging and I'm seeing about 10% of posts
having issues.
My Settings.py looks like this:
{{{
TEMPLATE_CONTEXT_PROCESSORS = (
'django.contrib.auth.context_processors.auth',
'django.core.context_processors.debug',
'django.core.context_processors.csrf',
'django.core.context_processors.i18n',
'django.core.context_processors.media',
'django.core.context_processors.request',
'django.core.context_processors.static',
)
MIDDLEWARE_CLASSES = (
'debug_toolbar.middleware.DebugToolbarMiddleware',
'django.middleware.cache.UpdateCacheMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.middleware.doc.XViewMiddleware',
'django.contrib.flatpages.middleware.FlatpageFallbackMiddleware',
'linaro_django_pagination.middleware.PaginationMiddleware',
'django.middleware.cache.FetchFromCacheMiddleware',
)
}}}
The views causing the issue are generic class based views with a comment
post form. The form has {% csrf_token %} inside the form tags. The error
that is getting triggered is REASON_NO_CSRF from the csrf middleware.
{{{
<WSGIRequest
path:/accounts/login/,
GET:<QueryDict: {u'next': [u'/profile/edit/']}>,
POST:<QueryDict: {u'username': [REDACTED], u'csrfmiddlewaretoken':
[u'Ns42nlyOUgLRUatcjjr0cfpRYwVSDETk'], u'password': [u'REDACTED']}>,
COOKIES:{'HIRO_COOKIE':
'data=&newSession=false&id=REDACTED×tamp=1414023546237',
'OX_plg': 'swf|shk|pm',
'SS_ARE_Override.traceLevel': 'WARN',
'__gads':
'ID=b5f389086388b528:T=1413419752:S=ALNI_MaqCqguvaHWhG76FGjhHzPTieaGeA',
'__qca': 'P0-2120806691-1413419758360',
'__sonar': '749077714819215977',
'_bsef2f5b6aaad756f2445ed7606b648325': '1',
'acudeoSession.': '%7B%22time%22%3A1421376382060%2C%22adIndex%22%3A1%7D',
'ebNewBandWidth_.www.REDACTED.com': 'REDACTED',
'mlUserID': '9X8L0kMS8ypL',
'targus.BirthYear': '',
'targus.ap_seg': '',
'targus.gender': '',
'targus.matched': '1',
'targus.segment': '000',
'targus.zip': '',
'vsl_userid': 'c4ee281a94b19b5cb09d83ee93e98f55'},
META:{'CONTENT_LENGTH': '92',
'CONTENT_TYPE': 'application/x-www-form-urlencoded',
u'CSRF_COOKIE': u'CV5Vh0mpa578LnKGK1Lfj6pRVB1cwc6E',
'DOCUMENT_ROOT': '/usr/local/apache2/htdocs',
'GATEWAY_INTERFACE': 'CGI/1.1',
'HTTP_ACCEPT':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;
q=0.8',
'HTTP_ACCEPT_ENCODING': 'gzip, deflate',
'HTTP_ACCEPT_LANGUAGE': 'en,en-GB;q=0.8',
'HTTP_CACHE_CONTROL': 'max-age=0',
'HTTP_CONNECTION': 'close',
}}}
The odd thing, this just started happening and it only affects Chrome user
agents. I can step through with Chrome developer tools and see the a
csrftoken cookie is present, but randomly after submitting, the error
REASON_NO_CSRF gets triggered in the middle ware.
Doing the same exact thing in Firefox or Internet Explorer works fine. My
Chrome install has no extensions running and is the latest 32 bit version.
--
Ticket URL: <https://code.djangoproject.com/ticket/24280>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/050.65b951fb44070a4dc9d0d24a1506e65b%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
