You*_*wad 35 django django-views django-registration
我正在关注Django 1.3 Web开发.并且对于登录,我收到以下错误
Forbidden (403)
CSRF verification failed. Request aborted.
Help
Reason given for failure:
CSRF token missing or incorrect.
这是我的settings.py包含的APPS.这本书应该是这样说的.
INSTALLED_APPS = (
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.sites',
'django.contrib.messages',
'django.contrib.staticfiles',
# Uncomment the next line to enable the admin:
'django.contrib.admin',
# Uncomment the next line to enable admin documentation:
# 'django.contrib.admindocs',
'djangocricket.Cricket',
'djangocricket.cms'
)
这本书说,它应该包含,django.contrib.auth.views.login ..我把它包括在内
urlpatterns = patterns('',
# Examples:
url(r'^$', 'djangocricket.Cricket.views.index', name='default'),
url(r'^user/(\w+)/$', 'djangocricket.Cricket.views.user_home', name='user home'),
url(r'^login/$', 'django.contrib.auth.views.login'),
# url(r'^djangocricket/', include('djangocricket.foo.urls')),
# Uncomment the admin/doc line below to enable admin documentation:
#url(r'^admin/doc/', include('django.contrib.admindocs.urls')),
# Uncomment the next line to enable the admin:
url(r'^news/', 'djangocricket.cms.views.index', name='index'),
#url(r'^news/(?P<slug>[^\.]+).html', 'djangocricket.cms.views.detail', name='get_single_news_item'),
url(r'^admin/', include(admin.site.urls)),
)
和我的注册/ login.html ...从书中粘贴的副本.它应该做.
<html>
<head>
<title>Django Bookmarks - User Login</title>
</head>
<h1>User Login</h1>
{% if form.errors %}
<p>Your username and password didn't match.
Please try again.</p>
{% endif %}
<form method="post" action=".">
<p><label for="id_username">Username:</label>
{{ form.username }}</p>
<p><label for="id_password">Password:</label>
{{ form.password }}</p>
<input type="hidden" name="next" value="/" />
<input type="submit" value="login" />
</form>
</body>
</html>
我错过了什么?
fcu*_*lla 61
您需要将{% csrf_token %}模板标记添加为formDjango模板中元素的子元素.
这样,模板将呈现一个隐藏元素,其值设置为CSRF令牌.当Django服务器收到表单请求时,Django将验证该令牌是否与表单中呈现的值匹配.这是确保POST请求(即数据更改请求)源自可信客户端会话所必需的.
有关更多信息,请查看Django文档:https: //docs.djangoproject.com/en/dev/ref/csrf/
以下是跨站点请求伪造攻击的概述:https: //www.owasp.org/index.php/CSRF
如果您使用csrf_token模板标签但没有更改任何内容,请检查CSRF_COOKIE_DOMAIN设置.您应该None在开发环境中设置它.
小智 8
我有同样的问题.当我添加{%csrf_token%}时,我解决了这个问题.最后我的代码是这样的:
<form id='formulario2' method='post' action='>
<h3>Enter:</h3>
{% csrf_token %}
<input id="id_mesaje" name="mesaje" type="email" placeholder="E-mail"/>
<input type='submit' name="boton2" value='Suscribete' style="display:inline-block;background-color: #80e174; "/>
</form>
只是想提供有关该主题的其他信息。如果它发生在您身上并且您确定令牌已注入表单并且视图函数正在正确处理所有内容,但问题仍然存在。确保没有禁用输入字段的 javascript 代码。发生在我身上,经过几个小时的调试,终于意识到了这一点。
<input type="hidden" name="csrfmiddlewaretoken" value="pHK2CZzBB323BM2Nq7DE2sxnQoBG1jPl" disabled="">
添加csrf_token到您的 POST 表单:
<form method="post" action=".">
{% csrf_token %}
...
</form>
CSRF_TRUSTED_ORIGINS在 Django 4.0 中,设置也很重要。看这里