#24280: CSRF cookie error only happening with Chrome. ---------------------------------+-------------------------- Reporter: jkapple | Owner: nobody Type: Bug | Status: new Component: CSRF | Version: 1.6 Severity: Release blocker | Keywords: CSRF, chrome Triage Stage: Unreviewed | Has patch: 0 Easy pickings: 0 | UI/UX: 0 ---------------------------------+-------------------------- I have a site that is running Django 1.6.10. Recently some of our admins had trouble logging in and were getting the CSRF 403 error page. They had to delete all their cookies for the site to be able to login again. This led me to wonder if it was more widespread, since the CSRF error page doesn't get logged. I enabled logging and I'm seeing about 10% of posts having issues.
My Settings.py looks like this: {{{ TEMPLATE_CONTEXT_PROCESSORS = ( 'django.contrib.auth.context_processors.auth', 'django.core.context_processors.debug', 'django.core.context_processors.csrf', 'django.core.context_processors.i18n', 'django.core.context_processors.media', 'django.core.context_processors.request', 'django.core.context_processors.static', ) MIDDLEWARE_CLASSES = ( 'debug_toolbar.middleware.DebugToolbarMiddleware', 'django.middleware.cache.UpdateCacheMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.middleware.doc.XViewMiddleware', 'django.contrib.flatpages.middleware.FlatpageFallbackMiddleware', 'linaro_django_pagination.middleware.PaginationMiddleware', 'django.middleware.cache.FetchFromCacheMiddleware', ) }}} The views causing the issue are generic class based views with a comment post form. The form has {% csrf_token %} inside the form tags. The error that is getting triggered is REASON_NO_CSRF from the csrf middleware. {{{ <WSGIRequest path:/accounts/login/, GET:<QueryDict: {u'next': [u'/profile/edit/']}>, POST:<QueryDict: {u'username': [REDACTED], u'csrfmiddlewaretoken': [u'Ns42nlyOUgLRUatcjjr0cfpRYwVSDETk'], u'password': [u'REDACTED']}>, COOKIES:{'HIRO_COOKIE': 'data=&newSession=false&id=REDACTED×tamp=1414023546237', 'OX_plg': 'swf|shk|pm', 'SS_ARE_Override.traceLevel': 'WARN', '__gads': 'ID=b5f389086388b528:T=1413419752:S=ALNI_MaqCqguvaHWhG76FGjhHzPTieaGeA', '__qca': 'P0-2120806691-1413419758360', '__sonar': '749077714819215977', '_bsef2f5b6aaad756f2445ed7606b648325': '1', 'acudeoSession.': '%7B%22time%22%3A1421376382060%2C%22adIndex%22%3A1%7D', 'ebNewBandWidth_.www.REDACTED.com': 'REDACTED', 'mlUserID': '9X8L0kMS8ypL', 'targus.BirthYear': '', 'targus.ap_seg': '', 'targus.gender': '', 'targus.matched': '1', 'targus.segment': '000', 'targus.zip': '', 'vsl_userid': 'c4ee281a94b19b5cb09d83ee93e98f55'}, META:{'CONTENT_LENGTH': '92', 'CONTENT_TYPE': 'application/x-www-form-urlencoded', u'CSRF_COOKIE': u'CV5Vh0mpa578LnKGK1Lfj6pRVB1cwc6E', 'DOCUMENT_ROOT': '/usr/local/apache2/htdocs', 'GATEWAY_INTERFACE': 'CGI/1.1', 'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*; q=0.8', 'HTTP_ACCEPT_ENCODING': 'gzip, deflate', 'HTTP_ACCEPT_LANGUAGE': 'en,en-GB;q=0.8', 'HTTP_CACHE_CONTROL': 'max-age=0', 'HTTP_CONNECTION': 'close', }}} The odd thing, this just started happening and it only affects Chrome user agents. I can step through with Chrome developer tools and see the a csrftoken cookie is present, but randomly after submitting, the error REASON_NO_CSRF gets triggered in the middle ware. Doing the same exact thing in Firefox or Internet Explorer works fine. My Chrome install has no extensions running and is the latest 32 bit version. -- Ticket URL: <https://code.djangoproject.com/ticket/24280> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/050.65b951fb44070a4dc9d0d24a1506e65b%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.