Django CSRF cookie设置不正确

Cheng

更新7-18:

这是我的代理服务器的nginx配置:

server {
    listen 80;
    server_name blah.com; # the blah is intentional

    access_log /home/cheng/logs/access.log;     
    error_log /home/cheng/logs/error.log;       

    location / {
        proxy_pass http://127.0.0.1:8001;         
    }

    location /static {
        alias /home/cheng/diandi/staticfiles;  
    }

    location /images {
        alias /home/cheng/diandi/images;
    }

    client_max_body_size 10M;
}

这里是nginx.conf

user www-data;
worker_processes 4;
pid /var/run/nginx.pid;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip_disable "msie6";

        # Enable Gzip compressed.
        gzip on;

        # Enable compression both for HTTP/1.0 and HTTP/1.1.
        gzip_http_version  1.1;

        # Compression level (1-9).
        # 5 is a perfect compromise between size and cpu usage, offering about
        # 75% reduction for most ascii files (almost identical to level 9).
        gzip_comp_level    5;

        # Don't compress anything that's already small and unlikely to shrink much
        # if at all (the default is 20 bytes, which is bad as that usually leads to
        # larger files after gzipping).
        gzip_min_length    256;

        # Compress data even for clients that are connecting to us via proxies,
        # identified by the "Via" header (required for CloudFront).
        gzip_proxied       any;

        # Tell proxies to cache both the gzipped and regular version of a resource
        # whenever the client's Accept-Encoding capabilities header varies;
        # Avoids the issue where a non-gzip capable client (which is extremely rare
        # today) would display gibberish if their proxy gave them the gzipped version.
        gzip_vary          on;

        # Compress all output labeled with one of the following MIME-types.
        gzip_types
                application/atom+xml
                application/javascript
                application/json
                application/rss+xml
                application/vnd.ms-fontobject
                application/x-font-ttf
                application/x-web-app-manifest+json
                application/xhtml+xml
                application/xml
                application/x-javascript
                font/opentype
                image/svg+xml
                image/x-icon
                text/css
                text/plain
                text/javascript
                text/js
                text/x-component;

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

更新7-15:

将代码复制到linux机器时,我只是替换了原始源代码文件,但没有删除旧的.pyc文件,我认为这不会造成麻烦,对吗?


这是视图代码:

from django.contrib.auth import authenticate, login
from django.http import HttpResponseRedirect
from django.core.urlresolvers import reverse
from django.shortcuts import render

def login_view(request):
    if request.method == 'POST':
        username = request.POST['username']
        password = request.POST['password']
        user = authenticate(username=username, password=password)
        next_url = request.POST['next']
        if user is not None:
            if user.is_active:
                login(request, user)
                if next_url:
                    return HttpResponseRedirect(next_url)
                return HttpResponseRedirect(reverse('diandi:list'))
        else:
            form = {'errors': True}
            return render(request, 'registration/login.html', {'form': form})

    else:
        form = {'errors': False}
        return render(request, 'registration/login.html', {'form': form})

CSRF cookie not set从Django得到了这些错误之一,但这不是因为我忘记了{% csrf_token %}在模板中包含

这是我观察到的:

进入登录页面#1试试

在中Request Headercookie值是:

csrftoken=yNG8ZmSI4tr2xTLoE9bys8JbSuu9SD34;

在模板中:

<input type="hidden" name="csrfmiddlewaretoken" value="9CVlFSxOo0xiYykIxRmvbWyN5iEUHnPB">

在我安装在chrome上的cookie插件中,实际的csrf cookie值设置为:

9CVlFSxOo0xiYykIxRmvbWyN5iEUHnPB

访问登录页面#2,请尝试:

在中Request Headercookie值是:

csrftoken=9CVlFSxOo0xiYykIxRmvbWyN5iEUHnPB;

在模板中:

<input type="hidden" name="csrfmiddlewaretoken" value="Y534sU40S8iTubSVGjjh9KQl0FXesVsC">

在我安装在chrome上的cookie插件中,实际的csrf cookie值设置为:

Y534sU40S8iTubSVGjjh9KQl0FXesVsC

图案

正如可以从上面的例子看到的,内部的Cookie值Request Header与实际的不同csrfmiddlewaretoken的形式和实际cookie值被设置。

当前请求的request header'scookie值与下一个cookie值匹配


为了帮助调试,这是我的`settings.py'的一部分:

DJANGO_APPS = (
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
)

THIRD_PARTY_APPS = (
    'compressor',
    'crispy_forms',
    'django_extensions',
    'floppyforms',
    'multiselectfield',
    'admin_highcharts',
)

LOCAL_APPS = (
    'diandi_project',
    'uer_application',
)

INSTALLED_APPS = DJANGO_APPS + THIRD_PARTY_APPS + LOCAL_APPS

MIDDLEWARE_CLASSES = (
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
)

TEMPLATES = [
    {
        'BACKEND': 'django.template.backends.django.DjangoTemplates',
        'DIRS': [str(ROOT_DIR.path('templates'))],
        'APP_DIRS': True,
        'OPTIONS': {
            'context_processors': [
                'django.template.context_processors.media',
                'django.template.context_processors.debug',
                'django.template.context_processors.request',
                'django.contrib.auth.context_processors.auth',
                'django.contrib.messages.context_processors.messages',
            ],
        },
    },
]

我正在使用Django 1.9.5python 2.7.10

一个“解决方案”

我之前遇到过此问题,可以清除所有浏览器cookie,并且该站点将正常运行。但是这个问题最终会再次出现,所以我真的希望有人可以帮助我(我可能在某个地方犯了一个非常愚蠢的错误)。

更新

最初,我以为覆盖django.contrib.auth.view页面时会犯一些错误,所以我编写了自己的登录页面处理程序,但仍然会导致问题。

这是我的登录模板的核心部分:

{% block content %}
...

                <form method="post" action="{% url 'login' %}">
                    {% csrf_token %}

                    <div class="form-group">
                        <label for="username">username</label>
                        <input type="text" class="form-control" id="id_username" name="username">
                    </div>
                    <div class="form-group">
                        <label for="password">password</label>
                        <input type="password" class="form-control" id="id_password" name="password">
                    </div>

                    <input type="submit" class="btn btn-default" value="login" />
                    <input type="hidden" id="next" name="next" value="" />
                </form>

...

{% endblock %}

在Linux机器上,我将nginx服务器设置为反向代理,该代理将端口80上的请求直接定向到8001,并且我正在使用来运行服务器。./manage runserver localhost:8001这是我可以想到的唯一区别。否则,所有源代码和设置文件都是相同的。


我开始删除Cookie,但不是全部删除,这是删除它们之前看到的内容:

在此处输入图片说明

我删除了djdt以外的所有Cookie csrftoken,然后该页面正常工作。删除的cookie是否会以某种方式超过某个限制,从而阻止设置列表后面的csrftoken?

这是请求标头中上面图像的cookie值:

Cookie:PSTM=1466561622; BIDUPSID=6D0DDB8084625F2CEB7B9D0F14F93391; BAIDUID=326150BF5A6DFC69B6CFEBD67CA7A18B:FG=1; BDSFRCVID=Fm8sJeC62leqR8bRqWS1u8KOKg9JUZOTH6ao6BQjXAcTew_mbPF_EG0PJOlQpYD-hEb5ogKK0mOTHvbP; H_BDCLCKID_SF=tJPqoCtKtCvbfP0k-tcH244HqxbXq-r8fT7Z0lOnMp05EnnjKl5M3qKOqJraJJ585Gbb5tOhaKj-VDO_e6u-e55LjaRh2PcM2TPXQ458K4__Hn7zep0aqJtpbt-qJjbOfmQBbfoDQCTDfho5b63JyTLqLq5nBT5Ka26WVpQEQM5c8hje-4bMXPkkQN3T-TJQL6RkKTCyyx3cDn3oyToVXp0njGoTqj-eJbA8_CtQbPoHHnvNKCTV-JDthlbLetJyaR3lWCnbWJ5TMCo1bJQCe-DwKJJgJRLOW2Oi0KTFQxccShPC-tP-Ll_qW-Q2LPQfXKjabpQ73l02VhcOhhQ2Wf3DM-oat4RMW20jWl7mWPQDVKcnK4-Xj533DHjP; BDUSS=5TNmRvZnh2eUFXZDA5WXI5UG1HaXYwbzItaWt3SW5adjE1Nn5XbUVoWHZuYXBYQVFBQUFBJCQAAAAAAAAAAAEAAAC0JtydAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAO8Qg1fvEINXSU; Hm_lvt_a7708f393bfa27123a1551fef4551f7a=1468229606; Hm_lpvt_a7708f393bfa27123a1551fef4551f7a=1468229739; BDRCVFR[feWj1Vr5u3D]=I67x6TjHwwYf0; BDRCVFR[dG2JNJb_ajR]=mk3SLVN4HKm; BDRCVFR[-pGxjrCMryR]=mk3SLVN4HKm; cflag=15%3A3; H_PS_PSSID=1424_20515_13289_20536_20416_19861_14994_11792; csrftoken=xUgSHybzHeIwusN0GvMgB1ATeRrPgcV1

由于该站点现在可以正常运行,所以我只有五个cookie,而不是上面的14个cookie:

在此处输入图片说明

Cheng

Here is the issue: You cannot have a cookie which key contains either the character '[' or ']'

I discovered the solution following @Todor's link, then I found out about this SO post. Basically there was a bug in python 2.7.x that does not parse cookies with ']' in the value. The bug was fixed in 2.7.10.

I thought it would be good to just confirm this issue. So I dug through all of the cookies and found one with the following key/value:

key: BDRCVFR[feWj1Vr5u3D]
val: I67x6TjHwwYf0

So I inserted the following cookie locally and submitted to the server:

key: test
val: BDRCVFR[feWj1Vr5u3D]

The login page worked, which means 2.7.10 indeed fixed the bug.

But then I realized that the square brackets are actually in the key name not in the value, so I did the following tests:

key: [
val: I67x6TjHwwYf0

and

key:]
val: I67x6TjHwwYf0

Both cookies break the login process and django displays:

CSRF cookie not set

因此,无论是django还是依赖于它的python库,都无法正确解析名称中带有方括号的cookie。如果有人知道我应该在哪里提交此错误,请告诉我(django或python)。

我要感谢在OP中发表评论的每个人:@ raphv,@ trinchet,@ Phillip,@ YPCrumble,@ PeterBrittain和@Todor。非常感谢你们与我进行调试!


更新:2016年7月20日

此错误已在Django 1.10中修复,仅需等待发布

更新:2016年7月19日

由于这篇文章,Django提交了一个错误报告我们将查看它是否会在将来的版本中修复。

本文收集自互联网,转载请注明来源。

如有侵权,请联系[email protected] 删除。

编辑于
0

我来说两句

0条评论
登录后参与评论

相关文章

来自分类Dev

Django 1.9:使用Stripe的CSRF令牌丢失或不正确

来自分类Dev

禁止(CSRF令牌丢失或不正确)Django错误

来自分类Dev

CSRF令牌丢失或在Django中不正确

来自分类Dev

将django与邮递员{“ detail”:“ CSRF失败:CSRF令牌丢失或不正确。”}

来自分类Dev

“ CSRF失败:CSRF令牌丢失或不正确。” 在Django Rest中:UpdateModelMixin

来自分类Dev

捕获“缺少或不正确的CSRF cookie类型。” 例外

来自分类Dev

Django CSRF验证失败。请求中止。-未设置CSRF cookie

来自分类Dev

python Django REST Framework CSRF失败:未设置CSRF cookie?

来自分类Dev

Django CSRF验证失败。请求中止。-未设置CSRF cookie

来自分类Dev

Django 1.9.2 + jQuery + POST-错误403-CSRF令牌丢失或不正确

来自分类Dev

Django + VueJS:POST 403禁止-CSRF令牌丢失或不正确

来自分类Dev

没有jQuery的Django CSRF丢失或不正确的Ajax POST(Vanilla JavaScript)

来自分类Dev

使用Django和JS的“禁止(CSRF令牌丢失或不正确。):”

来自分类Dev

Django 服务器 403(CSRF 令牌丢失或不正确)

来自分类Dev

Django:禁止(未设置CSRF cookie。)

来自分类Dev

Django:使用 AJAX 上传文件:表单表示文件输入字段为空(或 CSRF 令牌丢失或不正确)

来自分类Dev

禁止(CSRF令牌丢失或不正确。)

来自分类Dev

Rails 4 CSRF不正确

来自分类Dev

CSRF失败:CSRF令牌丢失或不正确

来自分类Dev

未在多个浏览器中设置Django CSRF cookie

来自分类Dev

Django返回403错误-“未设置CSRF Cookie”

来自分类Dev

Django REST Framework Forbidden CSRF cookie 未设置

来自分类Dev

在 Angular 中获取并插入 Django 设置的 CSRF cookie 的值

来自分类Dev

Django模型继承-实例属性设置不正确

来自分类Dev

Django 1.9 AJAX表单CSRF令牌403错误-“未设置CSRF Cookie”

来自分类Dev

Django 1.6中CSRF令牌Cookie的问题

来自分类Dev

Cookie设置不正确

来自分类Dev

CSRF令牌在一页上丢失或不正确

来自分类Dev

Python 请求:CSRF 令牌丢失或不正确

Related 相关文章

  1. 1

    Django 1.9:使用Stripe的CSRF令牌丢失或不正确

  2. 2

    禁止(CSRF令牌丢失或不正确)Django错误

  3. 3

    CSRF令牌丢失或在Django中不正确

  4. 4

    将django与邮递员{“ detail”:“ CSRF失败:CSRF令牌丢失或不正确。”}

  5. 5

    “ CSRF失败:CSRF令牌丢失或不正确。” 在Django Rest中:UpdateModelMixin

  6. 6

    捕获“缺少或不正确的CSRF cookie类型。” 例外

  7. 7

    Django CSRF验证失败。请求中止。-未设置CSRF cookie

  8. 8

    python Django REST Framework CSRF失败:未设置CSRF cookie?

  9. 9

    Django CSRF验证失败。请求中止。-未设置CSRF cookie

  10. 10

    Django 1.9.2 + jQuery + POST-错误403-CSRF令牌丢失或不正确

  11. 11

    Django + VueJS:POST 403禁止-CSRF令牌丢失或不正确

  12. 12

    没有jQuery的Django CSRF丢失或不正确的Ajax POST(Vanilla JavaScript)

  13. 13

    使用Django和JS的“禁止(CSRF令牌丢失或不正确。):”

  14. 14

    Django 服务器 403(CSRF 令牌丢失或不正确)

  15. 15

    Django:禁止(未设置CSRF cookie。)

  16. 16

    Django:使用 AJAX 上传文件:表单表示文件输入字段为空(或 CSRF 令牌丢失或不正确)

  17. 17

    禁止(CSRF令牌丢失或不正确。)

  18. 18

    Rails 4 CSRF不正确

  19. 19

    CSRF失败:CSRF令牌丢失或不正确

  20. 20

    未在多个浏览器中设置Django CSRF cookie

  21. 21

    Django返回403错误-“未设置CSRF Cookie”

  22. 22

    Django REST Framework Forbidden CSRF cookie 未设置

  23. 23

    在 Angular 中获取并插入 Django 设置的 CSRF cookie 的值

  24. 24

    Django模型继承-实例属性设置不正确

  25. 25

    Django 1.9 AJAX表单CSRF令牌403错误-“未设置CSRF Cookie”

  26. 26

    Django 1.6中CSRF令牌Cookie的问题

  27. 27

    Cookie设置不正确

  28. 28

    CSRF令牌在一页上丢失或不正确

  29. 29

    Python 请求:CSRF 令牌丢失或不正确

热门标签

归档