403 forbidden

my website error 403 in login
my english not good.

Reason given for failure:

CSRF token from POST incorrect.

In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django’s CSRF mechanism has not been used correctly. For POST forms, you need to ensure:

Your browser is accepting cookies.
The view function passes a request to the template’s render method.
In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.
If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as well as those that accept the POST data.
The form has a valid CSRF token. After logging in in another browser tab or hitting the back button after a login, you may need to reload the page with the form, because the token is rotated after a login.
You’re seeing the help section of this page because you have DEBUG = True in your Django settings file. Change that to False, and only the initial error message will be displayed.

You can customize this page using the CSRF_FAILURE_VIEW setting.

my setting is


Please post the form and template that you are trying to submit.

Copy/paste the code into the body of the message, surrounded by lines of three backtick - ` characters. This means you should have a line of ```, then your code (or template), then another line of ```.

Side note: ALLOWED_HOSTS entries do not include the scheme. It’s the host name only without the http:// or https:// prefix.

1 Like

thanks for answer me

class LoginForm(forms.Form):
    username = forms.CharField(
        label='* نام کاربری :',
            'required': 'برای ورود به سایت نام کاربری لازم است'
        widget=forms.EmailInput(attrs={'class': "form-control", 'type': "text", 'required': "required",
                                       'placeholder': "نام کاربری را وارد کنید"}),

    password = forms.CharField(
        label='* کلمه عبور :',
            'required': 'برای ورود به سایت پسورد لازم است'
            'class': "form-control", 'type': "password", 'required': "required", 'placeholder': "پسورد را وارد کنید"}),

    remember_me = forms.BooleanField(label='من را به خاطر بسپار', initial=False, required=False,
                                         attrs={'type': "checkbox", 'class': "custom-control-input",
                                                'id': "customCheck1"}))

class UserLogin(View):
    def get(self, request):
        login_form = LoginForm()
        context = {'login_form': login_form}
        return render(request, 'login.html', context)

    def post(self, request: HttpRequest):
        wrong_pass_username = ""
        deactive_user = ""

        login_form = LoginForm(request.POST)

        if login_form.is_valid():
            login_username_enterd = login_form.cleaned_data.get('username')
            login_password_entered = login_form.cleaned_data.get('password')
            remember_me = login_form.cleaned_data.get('remember_me')
            user: Users = Users.objects.filter(username__iexact=login_username_enterd).first()

            if user is not None:
                if not user.is_active:
                    deactive_user = 'حساب کاربری شما فعال نشده است.به ایمیل خود مراجعه کنید'
                    is_password_corect = user.check_password(login_password_entered)
                    if is_password_corect:
                        login(request, user)
                        request.session.set_expiry(1209600)  # 2 weeks
                        if not remember_me:
                        return redirect(reverse('Home_page'))
                        wrong_pass_username = 'کاربری با مشخصات بالا یافت نشده'
                wrong_pass_username = 'کاربری با مشخصات بالا یافت نشده'
        context = {'login_form': login_form, 'wrong_pass_username': wrong_pass_username, 'deactive_user': deactive_user}
        return render(request, 'login.html', context)

{% extends 'share/Master2.html' %}
{% load static %}
{% load widget_tweaks %}
{% block title %}
    ورود به آپشن ویو
{% endblock %}

{% block content %}

    <div class="col-lg-5">
        <div class="card mb-0">
            <div class="card-body">
                <div class="p-2">
                    <h4 class="text-muted float-right font-18 mt-4">ورود به سایت</h4>
                        <a href="{% url 'Home_page' %}" class="logo logo-admin">
                            <img src="{% static 'assets/images/logo_dark.png' %}" height="28" alt="logo"></a>

                <div class="p-2">
                    <form class="form-horizontal m-t-20" href="{% url 'Home_page' %}" method="post"
                          action="{% url 'login_page' %}">
                        {% csrf_token %}
                        {{ login_form.username.label }}
                        {{ login_form.username }}
                        {{ login_form.password.label }}
                        {{ login_form.password }}
                        {% if wrong_pass_username %}
                            <div class="notification-list table-danger ">
                                <p>{{ wrong_pass_username }}</p>

                        {% elif deactive_user %}
                            <div class="notification-list table-danger ">
                                <p>{{ deactive_user }}</p>
                        {% endif %}

                        <div class="form-group row">
                            <div class="col-1">
                                {% render_field login_form.remember_me type="checkbox" class="custom-control custom-checkbox" id="customCheck1" %}
                            <div class="col-11">
                                {{ login_form.remember_me.label }}

                        <div class="form-group text-center row m-t-20">
                            <div class="col-12">
                                <button class="btn btn-primary btn-block waves-effect waves-light" type="submit">ورود به

                        <div class="form-group m-t-10 mb-0 row">
                            <div class="col-sm-7 m-t-20">
                                <a href="{% url 'recover_password' %}" class="text-muted"><i class="mdi mdi-lock"></i>رمز
                                    خود را فراموش کردید؟</a>
                            <div class="col-sm-5 m-t-20">
                                <a href="{% url 'register_page' %}" class="text-muted"><i
                                        class="mdi mdi-account-circle"></i>
                                    حساب کاربری بسازید</a>


{% endblock %}

Is ov.example.ir your actual DNS name for your site? I see in ALLOWED_HOSTS you’re also allowing www.ov.example.ir, which if you are, also needs to be included in CSRF_TRUSTED_ORIGINS. Do you have any other DNS names involved here? If so, they may also need to be included in both settings.

1 Like

ov is my subdomain
main domain in other host and this subdomain develope on django and on other host
403 forbidden by this way solved.but why ?

in google chrome
setting>privacy and security>add my url cookies and other site
and clear cache

I’m sorry, if there’s a still a question here, I’m not understanding what you’re asking or what the issue might be.

1 Like