On Wed, Nov 16, 2011 at 10:36 AM, Djano_newb <zamboni_...@yahoo.com> wrote:
> > I am new to both python and Django but I have been programming for more > than > 20 years so I am teaching myself this stuff. I came across an old training > video that I have been going through. This training has you develop a > website that can create web pages. I got everything right so far but I > just > got to the point where you are to save off your changes to create a new > file > and I am getting the 403 Forbidden error associated with a POST to my > connection. The error specifically states "CSRF token missing or > incorrect." > > It certainly does sound like your tutorial video is old; probably pre-dating the built-in CSRF protection in Django. The most relevant documentation is here: https://docs.djangoproject.com/en/1.3/ref/contrib/csrf/ > Now I am currently reading through this stuff on the Django web site and I > find that you must have it at the top of your "views" but can someone > explain in more plain language why this isn't on by default and what the > problem really is here? In reading the info on the Django site it seems > backwards so I must be missing something. When I read it, it sounds like > you have to add this to "gain" the protection not remove it. What I think > I > am seeing is my system is not allowing my browser to write new files so I > have the protection by default and I need to add this stuff in order to > remove the protection. That makes sense to me but seems backwards from > what > I read on the Django site. I am very confused by this. Any help would be > appreciated. > It certainly is quite confusing to say the the CSRF token has to go "at the top of your views". Let me see if I can explain it better: Django's CSRF protection is built-in; that is, it's on by default, and you, as the site developer, have to specifically opt out to get around it (more about that below). What you are seeing is the correct response to a form submission that is missing the CSRF token. Any POST to your application that doesn't include that token will be rejected, and Django will generate a "403 Forbidden" error. To get past these checks, you need to include the CSRF token in your forms. The simplest way to do this is to include the template tag somewhere in your HTML <form> element. (People seem to do it at the top, but it could go anywhere). It's as simple as adding {% csrf_token %} in your template. That tag will generate a hidden form element which will be submitted with your form, and Django will accept the form submission and pass it along to your view. There are other, more complicated methods, if you are using JavaScript to submit your forms, or if you need to access the actual token value, for some reason, but this tag works for almost all cases. Now, if you can't supply the token for some reason, and you need to opt out (perhaps your code is part of an unauthenticated HTTP API, and you want to accept POST requests from user agents that won't handle cookies), you can use the @csrf_exempt decorator at the top of any of your views. If you want to opt your whole application out of CSRF protection, then you can do that too -- it's not baked into Django that deeply. You will need to change your settings, and remove the CSRF middleware from MIDDLEWARE_CLASSES. That will completely remove this feature from your project. (and, of course, remove all of the security benefits that it comes with) Hope this helps, Ian -- Regards, Ian Clelland <clell...@gmail.com> -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
