Django: CSRF token missing or incorrect

Posted on

Question :

Django: CSRF token missing or incorrect

The error is at location http://127.0.0.1:8000/fileupload/form.py

I have version 1.3 of django. I have tried specifying localhost:8000 as stated in someone else’s question but this did not work for me. I am trying to have a file upload form but I am receiving an error that form.py does not have the CSRF token.

form.py:

class UploadFileForm(forms.Form):

    title = forms.CharField(max_length=50)
    file  = forms.FileField()

views.py:

def upload_file(request):

    c = {}
    c.update(csrf(request))

    if (not request.user.is_authenticated()) or (request.user == None):
      return HttpResponseRedirect("/?error=11")


    if request.method == 'POST':
      form = c['UploadFileForm'] = UploadFileForm(request.POST, request.FILES,  c, context_instance=RequestContext(request))

      if c['UploadFileForm'].is_valid():
        handle_uploaded_file(request.FILES['file'])
        return HttpResponseRedirect('/success/url/')

    else:
        form = c['UploadFileForm'] = UploadFileForm()
    return render_to_response('fileupload/upload.html', {'form': c['UploadFileForm']})

upload.html:

{% block main_content %}


  <form action="fileupload/form.py" enctype="multipart/form-data" method="POST">
    {% csrf_token %}
    <table>

      <tr><td>Title:</td><td><input type="text" name="title" /></td></tr>
      <tr><td>File:</td><td><input type="file" name="file" /></td></tr>
    </table>
      <input type="submit" value="Submit" class = "float_right button_input" />

  </form> 

{% endblock main_content %}

I am very stumped please tell me some things to try. Thank You

Answer #1:

You need to pass RequestContext in render_to_response for csrf_token

For this : (views.py)

from django.template import RequestContext

...

return render_to_response('fileupload/upload.html', {'form': c['UploadFileForm']},  RequestContext(request))
# Added RequestContext

This passes the token for csrf to the template.

Answered By: Yugal Jindle

Answer #2:

It can also happen if you use @cache_page(60 * 15) decorators. If you cache a page with a form containing a CSRF token, you’ll cache the CSRF token of the first user only. So it’s kinda hard to debug sometimes.

More info from Django documentation

If the csrf_token template tag is used by a template (or the get_token
function is called some other way), CsrfViewMiddleware will add a
cookie and a Vary: Cookie header to the response. This means that the
middleware will play well with the cache middleware if it is used as
instructed (UpdateCacheMiddleware goes before all other middleware).

However, if you use cache decorators on individual views, the CSRF
middleware will not yet have been able to set the Vary header or the
CSRF cookie, and the response will be cached without either one. In
this case, on any views that will require a CSRF token to be inserted
you should use the django.views.decorators.csrf.csrf_protect()
decorator first:

from django.views.decorators.cache import cache_page
from django.views.decorators.csrf import csrf_protect

@cache_page(60 * 15)
@csrf_protect
def my_view(request):
    ...
Answered By: varren

Answer #3:

My answer is similar to the @Yugal Jindle’s answer above.

I am using Django 1.10 and I had a similar issue, it worked for me after editing

return render_to_response(param1, param2)

to

return render(request, param1, param2)

P.S. Make sure you have the below line in your MIDDLEWARE variable in the settings.py

'django.middleware.csrf.CsrfViewMiddleware'
Answered By: Mr.A

Leave a Reply

Your email address will not be published. Required fields are marked *