Thursday, June 28, 2012

Re: 'CSRF verification failed." from django.contrib.comments. can you help solve it? django 1.3

On Thu, Jun 28, 2012 at 9:14 AM, brycenesbitt <digitalbitstream@gmail.com> wrote:
I'm using django.contrib.comments and get 'CSRF token missing or incorrect.' when previewing or submitting a comment.  I have:
... 


The HTML looks like it has the csrf security_hash in the proper place:
<form action="/comments/post/" method="post">
<div><input type="hidden" name="object_pk" value="28" id="id_object_pk" /></div>
<div><input type="hidden" name="timestamp" value="1340899354" id="id_timestamp" /></div>
<div><input type="hidden" name="security_hash" value="6e85e1c846861c80575ce435b21a855706725b00" id="id_security_hash" /></div>
... 
 

The "security_hash" field that you see is part of the comments app, and is not the CSRF token. That needs to be output by a {% csrf_token %} tag (or its equivalent). If it's working, you should see another hidden input field, which looks like this:

<div style="display:none">
    <input type="hidden" name="csrfmiddlewaretoken" value="36d43c1652d5676d6d411950e077eeaa1cc1f799"/>
</div>

The comments app normally does that automatically -- it's part of django/contrib/comments/templates/form.html -- Are you overriding the comment form in your own app? If so, you need to include the call to {% csrf_token %} yourself.

@csrf_protect  #does not matter if this is here or not

No, if you have the CSRFViewMiddleware installed, then you don't need this line at all.

--
Regards,
Ian Clelland
<clelland@gmail.com>

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)