问题
I have a Django site on Apache with mod_wsgi. At first the admin page would return a 500 error, it started working after restarting Apache and such. But now when I go to log in I get a 403 with this message:
CSRF verification failed. Request aborted.
You are seeing this message because this site requires a CSRF cookie when submitting forms. This cookie is required for security reasons, to ensure that your browser is not being hijacked by third parties.
If you have configured your browser to disable cookies, please re-enable them, at least for this site, or for 'same-origin' requests.
The only option for CSRF I have in my settings is CSRF_COOKIE_DOMAIN = "127.0.0.1"
CSSRF_SECURE_DOMAIN isn't set so it defaults to False. I am not using https at all currently as the site is still in development.
But I need to be able to access the admin interface.
How can I fix this error? Everything worked fine on local development servers but once pushed up to a web server I ran into these types of issues.
So does anyone have any suggestions on how to fix this CSRF validation error I am having? And does anyone know how it will change if I got to implement SSL on the site?
All requests/responses are from the same server. Appreciate any help provided.
EDIT:
In my Django logger file output I get this line:
[04/Nov/2015 18:13:20] WARNING [django.request:98] Forbidden (CSRF cookie not set.): /sa-admin/login/
Saying that the CSRF cookie is not set at all. But I am using the default contrib.admin to handle all of this so I am perplexed as to the problem. Only suit has been added to the admin. But that is just a skin really.
回答1:
You should remove CSRF_COOKIE_DOMAIN = "127.0.0.1" from your settings.
Django is looking for CSRF token cookie with your production domain, but won't find it because your application sets 127.0.0.1 as cookie domain due to your settings. So it returns HTTP 403 and logs that cookie is not set.
来源:https://stackoverflow.com/questions/33533866/django-on-apache-with-mod-wsgi-csrf-verification-failed