Thursday, June 28, 2012

Re: 'CSRF verification failed." from django.contrib.comments. can you help solve it? django 1.3

On Thu, Jun 28, 2012 at 9:14 AM, brycenesbitt <> wrote:
I'm using django.contrib.comments and get 'CSRF token missing or incorrect.' when previewing or submitting a comment.  I have:

The HTML looks like it has the csrf security_hash in the proper place:
<form action="/comments/post/" method="post">
<div><input type="hidden" name="object_pk" value="28" id="id_object_pk" /></div>
<div><input type="hidden" name="timestamp" value="1340899354" id="id_timestamp" /></div>
<div><input type="hidden" name="security_hash" value="6e85e1c846861c80575ce435b21a855706725b00" id="id_security_hash" /></div>

The "security_hash" field that you see is part of the comments app, and is not the CSRF token. That needs to be output by a {% csrf_token %} tag (or its equivalent). If it's working, you should see another hidden input field, which looks like this:

<div style="display:none">
    <input type="hidden" name="csrfmiddlewaretoken" value="36d43c1652d5676d6d411950e077eeaa1cc1f799"/>

The comments app normally does that automatically -- it's part of django/contrib/comments/templates/form.html -- Are you overriding the comment form in your own app? If so, you need to include the call to {% csrf_token %} yourself.

@csrf_protect  #does not matter if this is here or not

No, if you have the CSRFViewMiddleware installed, then you don't need this line at all.

Ian Clelland

You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit this group at

No comments:

Post a Comment