Django REST Framework CSRF Failed: CSRF cookie not set
Solution 1
If anyone is still following this question, the direct answer is that you need to use the decorator on the view method itself. The get
and post
methods defined on the APIView
class just tell DRF how the actual view should behave, but the view method that the django router expects is not actually instantiated until you call LoginView.as_view()
.
Thus, the solution is to add the csrf_exempt
decorator to urls.py
. It might look as follows:
#file: urls.py
from django.conf.urls import patterns, url
from django.views.decorators.csrf import csrf_exempt
import views
urlpatterns = patterns('',
url('^login/$', csrf_exempt(views.LoginView.as_view())),
...
)
However, as Mark points out above, csrf protection is important to prevent your sessions from being hijacked. I haven't worked with iOS myself, but I would look into using django's cookie-based csrf tokens. You can use the ensure_csrf_cookie
decorator to make django send a csrftoken
cookie with a response, and your POST
requests will validate as long as you include that token as an X-CSRFToken
header.
Solution 2
I've had the same issue. My problem was that I forgot to put .as_view()
in urls.py on MyAPIView
. So it have to be like:
url(r'$', GetLikesAPI.as_view(), name='list')
not:
url(r'$', GetLikesAPI, name='list')
Solution 3
The problem you encounter here is that django for processing your view is using whatever as_view()
method will return, not directly method get()
or post()
.
Therefore you should decorate your class-based view in one of following ways:
- In urls.py
urlpatterns = patterns('', url('^login/$', csrf_exempt(views.LoginView.as_view())), ... )
- or on
dispatch()
method (pre django 1.9)
from django.utils.decorators import method_decorator class LoginView(APIView): @method_decorator(csrf_exempt) def dispatch(self, *args, **kwargs): ...
- or on class view itself (from django 1.9)
from django.utils.decorators import method_decorator @method_decorator(csrf_exempt, name='dispatch') class LoginView(APIView): ...
Solution 4
For GETs, you shouldn't be modifying data, so a CSRF isn't required.
If you are modifying data with a POST, then you SHOULD have a CSRF if you are using session based authentication. Otherwise, you're opening up a security hole. Even though you think your Django server is going to be servicing iPhone apps, there's nothing to stop someone with your app from sniffing the packets on the traffic to your server, and then reverse engineering access to the server with other kinds of web clients. For this reason, Django Rest Framework requires a CSRF in some cases. This is mentioned in the Django rest framework documentation.
The path around this requirement for POSTs is to not use session authentication. For example, you could use BasicAuthentication over HTTPS. With this authentication mechanism, you should use HTTPS to prevent credentials from being passed in the clear with every request.
Solution 5
urlpatterns = patterns('',
url('^login/$', csrf_exempt(views.LoginView.as_view())),
...
)
Guys. I had the same error and spent a lot of time just for finding that: 1) I had another router with 'login' and there i missed '$'. I mean sometimes you can forget something in routing and get this error.
user2237822
Updated on February 04, 2021Comments
-
user2237822 over 3 years
I am using the django rest framework to perform API calls via IOS and I get the following error "CSRF Failed: CSRF cookie not set."
Here's my django API code:
class LoginView(APIView): """ List all snippets, or create a new snippet. """ @csrf_exempt def get(self, request, format=None): startups = Startup.objects.all() serializer = StartupSerializer(startups, many=True) return Response(serializer.data) @csrf_exempt def post(self, request, format=None): profile = request.POST ....
What can I do?