現象:
Forbidden (403)
CSRF verification failed. Request aborted.
Help
Reason given for failure:
CSRF token missing or incorrect.
In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django's CSRF mechanism has not been used correctly. For POST forms, you need to ensure:
Your browser is accepting cookies.
The view function uses RequestContext for the template, instead of Context.
In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.
If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as well as those that accept the POST data.
You're seeing the help section of this page because you have DEBUG = True in your Django settings file. Change that to False, and only the initial error message will be displayed.
You can customize this page using the CSRF_FAILURE_VIEW setting.
解決步驟:
1〉django工程settings.py
MIDDLEWARE_CLASSES = ( 'django.middleware.common.CommonMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.csrf.CsrfViewMiddleware',#確認存在 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', # Uncomment the next line for simple clickjacking protection: # 'django.middleware.clickjacking.XFrameOptionsMiddleware', )
2〉html中的form添加模板標簽{% csrf_token %}
<form action="." method="post">{% csrf_token %}
3〉django工程views.py
from django.shortcuts import render_to_response from django.template import RequestContext def some_view(request): # ... return render_to_response('my_template.html', my_data_dictionary, context_instance=RequestContext(request))
有疑問請戳Cross Site Request Forgery protection
P.S如果要屏蔽CSRF
方法1:注釋掉django工程settings.py中
#'django.middleware.csrf.CsrfViewMiddleware'
方法2:django工程views.py添加屏蔽裝飾器
from django.views.decorators.csrf import csrf_exempt @csrf_exempt def some_view(request): #...