Django CSRF framework cannot be disabled and is breaking my site

django csrf

Solution 1:

Yes, Django csrf framework can be disabled.

To manually exclude a view function from being handled by any CSRF middleware, you can use the csrf_exempt decorator, found in the django.views.decorators.csrf module. For example: (see doc)

from django.views.decorators.csrf import csrf_exempt                                          
@csrf_exempt                                                                                  
def my_view:                                                                            
    return Httpresponse("hello world")

..and then remove {% csrf_token %} inside the forms from your template,or leave other things unchanged if you have not included it in your forms.

Solution 2:

You can disable this in middleware.

In your settings.py add a line to MIDDLEWARE_CLASSES:

MIDDLEWARE_CLASSES = (

    myapp.disable.DisableCSRF, 

)

Create a disable.py in myapp with the following

class DisableCSRF(object):
    def process_request(self, request):
        setattr(request, '_dont_enforce_csrf_checks', True)

Basically if you set the _dont_enforce_csrf_checks in your request, you should be ok.

Solution 3:

See answers below this for a better solution. Since I wrote this, a lot has changed. There are now better ways to disable CSRF.

I feel your pain. It's not acceptable for a framework to change such fundamental functionality. Even if I want to start using this from now on, I have legacy sites on the same machine sharing a copy of django. Changes like this should require major version number revisions. 1.x --> 2.x.

Anyway, to fix it I just commented it out and have stopped updating Django as often.

File: django/middleware/csrf.py Around line 160:

            # check incoming token
#            request_csrf_token = request.POST.get('csrfmiddlewaretoken', None)
#            if request_csrf_token != csrf_token:
#                if cookie_is_new:
#                    # probably a problem setting the CSRF cookie
#                    return reject("CSRF cookie not set.")
#                else:
#                    return reject("CSRF token missing or incorrect.")

Solution 4:

In general, you shouldn't be disabling CSRF protection, since doing so opens up security holes. If you insist, though…

A new way of doing CSRF protection landed in trunk just recently. Is your site by chance still configured to do it the old way? Here are the docs for The New Way™ and here are the docs for The Old Way™.

Solution 5:

I simply tried removing the references to csrf middleware classes from my settings.py, it worked. Not sure if this is acceptable. Any comments? Below two lines were removed - 

      'django.middleware.csrf.CsrfViewMiddleware',
      'django.middleware.csrf.CsrfResponseMiddleware',

Related

Is there a way to circumvent Python list.append() becoming progressively slower in a loop as the list grows?
502 Bad Gateway Deploying Express Generator Template on Elastic Beanstalk
Can we see the template instantiated code by C++ compiler
Connecting two computers using an Ethernet cable
" maven -version" command is not recognized in Git Bash
Script to Change Pronunciations on Mac
How do I get my taskbar to normal size in Windows?
AIMP: how to repeat the playlist?
Application becomes completely unclickable/uninteractable sometimes
ImportError: /lib/x86_64-linux-gnu/libm.so.6: version `GLIBC_2.27' not found
Chrome Spell Check Not Functioning
Why is new PC hanging on boot?