I am running Django 1.3 with Apache and mod_wsgi. I followed these
instructions, https://docs.djangoproject.com/en/1.3/howto/deployment/modwsgi/
to display a simple page, which contains a form, and which sends the
data back via POST.
Everything is fine with GET requests. However, when I do POST, I get
an error: Forbidden (403), "CSRF token missing or incorrect".
The django.middleware.csrf.CsrfViewMiddleware component is added to
the MIDDLEWARE_CLASSES list. The html form contains the {% csrf_token
%} tag. I can verify that in the form sent on GET, this tag is
replaced with the hidden input field:
<input type='hidden' name='csrfmiddlewaretoken'
value='m4zDfr2n32yfberwrVuxylniJFXAs' />
I also use RequestContext in the django views code.
When the form is POSTed back, the CsrfViewMiddleware expects to find a
cookie with a specific name, and if found, it sets the csrf_token
variable:
csrf_token =
_sanitize_token( request.COOKIES[settings.CSRF_COOKIE_NAME])
Then, for the POST request, it expects to find a specific data inside
request.POST:
if request.method == "POST":
request_csrf_token =
request.POST.get('csrfmiddlewaretoken', '')
The error I am seeing happens when these two values are not equal.
Indeed, in my case, the csrf_token is set to the value above, and the
request_csrf_token is empty. Moreover, request.POST comes completely
empty when it reaches the CsrfViewMiddleware filter. It is known that
mod_wsgi sends POST data in request.META['wsgi.input'], which somehow
needs to be parsed.
Django documentation advises against accessing POST data in the
middleware (something breaks down the road), with CsrfViewMiddleware
being an exception. But even if I stick another custom component just
before CsrfViewMiddleware in the MIDDLEWARE_CLASSES list, which would
read and parse the request.META['wsgi.input'] data, I will not be able
to pass the value to CsrfViewMiddleware via POST because it is read
only.
So, my question is, how this is supposed to work? What am I missing?
Thanks.
Konstantin.
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
