Hi,
I have problems since I upgraded Fjango from version 2.2 to 3.2 LTS.
My application communicates with APIs in order to do monitoring on my devices, servers or VPN.When I make a request from outside my application to query my application I get a csrf token error.
my request is the following:
req = s.post('https://myapp.com/appli/vpn/select/fr115vdom/'
+ vpn + '/status/',{'username': 'vpn-icinga', 'password':
'PASSWORD','csrfmiddlewaretoken':
'req_get.cookies['csrftoken']})
When I execute this request I see that the incoming post request is completely empty.
This is the traceback from Icinga :
has anything changed in Django version 3.2 on csrf?
Can you confirm what version of Python you are using? (See Django 3.2 release notes | Django documentation | Django)
You should also review all the major release notes to see if there is a change affecting your code. (It’s possible that this error is not directly caused by the token itself.)
Also, in the future, please copy/paste the text of the errors - don’t post images of code or text.
Thanks for the quick reply, I’m using Python 3.8 and sorry for the image.
I don’t know why but I removed the csrfmiddlewaretoken from the settings and everything seems to work again, the request is sent and I get a Json response.
I don’t know what the cause but could it be the SESSION_COOKIE_SECURE = True parameter that I added in settings?
Regarding SESSION_COOKIE_SECURE, I can’t say. What request are you making to initially retrieve the token?
I’m doing post request to check vpn status if is up or down, very simple like the example that I posted. I have a cron jobs running every 5 minutes. the cron user will connect locally to my application, then execute the provided url parameter. Like this
req = s.post('https://myapp.com/appli/vpn/select/fr115vdom/'
+ vpn + '/status/',{'username': 'vpn-icinga', 'password':
'PASSWORD','csrfmiddlewaretoken':
'req_get.cookies['csrftoken']})
I found the solution, it was indeed the SESSION_COOKIE_SECURE that I had disabled and I finally have a return. Indeed, each time I execute a post request, a new token is generated. 
Thanks again for your reply.
It’s that connection that I’m asking about. How are you making that connection?
1 Like
Hi,
I come back to our discussion, I finally left the secure cookie active for security measure.
Here is the script I was using before:
import requests
from datetime import datetime
datenow = datetime.now()
print('---------------------------------------------------------------------')
print('------------------- Starting script vpn -----------------------')
print(f'------------------{datenow}---------------------')
s = requests.Session()
req_get = s.get('http://127.0.0.1/')
req = s.post('http://127.0.0.1/?next=/appli/vpn/refresh/',
{'username': 'user_vpn_refresh',
'password': 'PASSWORD',
'csrfmiddlewaretoken': req_get.cookies['csrftoken']})
print(req.text)
Now I have improved this script by including the https connection on my domain name with a certificate check concatenated in a cert.pem file
then in the request post I included the header with a referer.
import requests
from datetime import datetime
datenow = datetime.now()
print('---------------------------------------------------------------------')
print('------------------- Starting script vpn -----------------------')
print(f'------------------{datenow}---------------------')
s = requests.Session()
s.verify = '/tmp/cert.pem'
headers = {'Referer': 'https://myapp.com/'}
req_get = s.get('https://myapp.com/')
req = s.post('https://myapp.com/?next=/appli/vpn/refresh/',
{'username': 'user_vpn_refresh',
'password': 'PASSWORD',
'csrfmiddlewaretoken': req_get.cookies['csrftoken']},
headers=headers)
print(req.text)
This way the connection and the request are completely secure and prevent a MITM.
of course if there is a better way to do this, I’m open to suggestions.
