views:

166

answers:

2

I am running Django 1.2.2 and I get the following error when I try to log in to the Django admin:

Forbidden (403) CSRF verification failed. Request aborted.

Reason given for failure:

No CSRF or session cookie.

** I have made NO customization to the barebones admin and when I inspect the source there is a CSRF token in the form in what I believe is the correct place.

When I look at the actual request that is being sent there is a csrf token being sent but Django still says CSRF verification failed.

Can anyone point me in the right direction? Why is this happening?

+2  A: 

1) Do you have 'django.middleware.csrf.CsrfViewMiddleware' in your settings.MIDDLEWARE_CLASSES ?

2) Are you sure you've always been on 1.2.2? That only came out last night...

stevejalim
Yes I have it in my MIDDLEWARE_CLASSES. Actually I think I was running 1.2.1 till this morning when I completely reinstalled it. Good catch.
thomallen
If I inspect the request in Charles I can see that there is a csrfmiddlewaretoken in the request. So CSRF is working if the token is being generated. But why is it not seeing the token when the form is submitted?
thomallen
+1  A: 

According to the docs, not only do you need the csrf hidden form field, but also the csrftoken cookie. The error message you provided also suggests a missing cookie.

I would look in your browser's cookies to ensure the csrftoken cookie is present.

slypete
I finally figured out that I was only getting this error in Firefox. To correct this problem I went into my firefox cookies and deleted all of them for the django site. Once the browser had a new csrf cookie for the site it worked fine. Must have been an out of date cookie or something...
thomallen