我正在关注Django 1.3 Web开发。对于登录,我收到以下错误
I am following Django 1.3 Web Development. and for logins, i am getting the following error
Forbidden (403) CSRF verification failed. Request aborted. Help Reason given for failure: CSRF token missing or incorrect.这是我的settings.py包含的APPS。这是书应该是这样的。
This is my settings.py Included APPS. It is exactly how the book says it should be.
INSTALLED_APPS = ( 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.sites', 'django.contrib.messages', 'django.contrib.staticfiles', # Uncomment the next line to enable the admin: 'django.contrib.admin', # Uncomment the next line to enable admin documentation: # 'django.contrib.admindocs', 'djangocricket.Cricket', 'djangocricket.cms' )该书说,它应该包含django.contrib.auth.views.login ..我将其包含在
The book says, it should contain, django.contrib.auth.views.login .. and i am including it in
urlpatterns = patterns('', # Examples: url(r'^$', 'djangocricket.Cricket.views.index', name='default'), url(r'^user/(\w+)/$', 'djangocricket.Cricket.views.user_home', name='user home'), url(r'^login/$', 'django.contrib.auth.views.login'), # url(r'^djangocricket/', include('djangocricket.foo.urls')), # Uncomment the admin/doc line below to enable admin documentation: #url(r'^admin/doc/', include('django.contrib.admindocs.urls')), # Uncomment the next line to enable the admin: url(r'^news/', 'djangocricket.cms.views.index', name='index'), #url(r'^news/(?P<slug>[^\.]+).html', 'djangocricket.cms.views.detail', name='get_single_news_item'), url(r'^admin/', include(admin.site.urls)), )和我的注册/ login.html ...从书中粘贴。它应该做。
and my registration/login.html ... copy pasted from the book. it should do.
<html> <head> <title>Django Bookmarks - User Login</title> </head> <h1>User Login</h1> {% if form.errors %} <p>Your username and password didn't match. Please try again.</p> {% endif %} <form method="post" action="."> <p><label for="id_username">Username:</label> {{ form.username }}</p> <p><label for="id_password">Password:</label> {{ form.password }}</p> <input type="hidden" name="next" value="/" /> <input type="submit" value="login" /> </form> </body> </html>我缺少什么?
推荐答案您需要将 {%csrf_token%} 模板标签添加为表单元素在您的Django模板。
You need to add the {% csrf_token %} template tag as a child of the form element in your Django template.
这样,模板将呈现一个隐藏的元素,其值设置为CSRF标记。当Django服务器收到表单请求时,Django会验证该令牌是否与该表单中呈现的值相匹配。这是必要的,以确保POST请求(即数据更改请求)来自真实的客户端会话。
This way, the template will render a hidden element with the value set to the CSRF token. When the Django server receives the form request, Django will verify that the token matches the value that was rendered in the form. This is necessary to ensure that POST requests (i.e. data-altering requests) originate from an authentic client session.
有关更多信息,请查看Django文档: docs.djangoproject/en/dev/ref/csrf/
For more info, check the Django documentation at: docs.djangoproject/en/dev/ref/csrf/
以下是跨站点请求伪造攻击的概述: www.owasp/index.php/CSRF
Here is an overview of the Cross-Site Request Forgery attack: www.owasp/index.php/CSRF
更多推荐
CSRF验证失败。请求中止。在django
发布评论