Forums

Forbidden (403) CSRF verification failed. Request aborted.

I'm using Flask and logging in customers with LinkedIn... I'm getting the error: Forbidden (403) CSRF verification failed. Request aborted.

I saw some posts on fixing this in Django, but I don't see how to apply this to Flask.

Also it says:

More information is available with DEBUG=True.

But I already have DEBUG=True and no information is being given in the error log.

Beloved premium user mritchie712 | 54 posts | Feb. 18, 2015, 8:48 p.m. | permalink

Hi there,

I've never used/seen csrf protection in flask. Do you know where it's coming from, or how it's meant to work?

Staff harry | 2710 posts | PythonAnywhere staff | Feb. 19, 2015, 11:58 a.m. | permalink

I'm getting it in my "add_user" view:

@app.route('/add_user', methods=['GET','POST'])
def add_user():
    form = UserForm()
    if form.validate_on_submit():
        g.db.execute('insert into users (firstName,lastName,coName,email,comId,yelpURL,comments,password,revenue,profit,zipCode ) values (?,?,?,?,?,?,?,?,?,?,?)',
                     [request.form['firstName'], request.form['lastName'],request.form['coName'], request.form['email'], 0, 
                     'NA', 'NA',request.form['password'],request.form['revenue'],request.form['profit'],coZip])
        g.db.commit()
        # flash('Thanks for signing up... let\'s find you a community')
        user = User(request.form['email'], request.form['password'])
        login_user(user, remember=True)
        return redirect(url_for('com_flow'))
    return render_template('add_user.html', form=form, linkMe=linkMe)



  #add_user.html  
  <form class="form form-horizontal" method="post" role="form" enctype=multipart/form-data action>
  {{ form.hidden_tag() }}
  {{ wtf.form_errors(form, hiddens="only") }}
  {{ wtf.form_field(form.email) }}
  {{ wtf.form_field(form.password) }}
  {{ wtf.form_field(form.firstName) }}
  {{ wtf.form_field(form.lastName) }}
  {{ wtf.form_field(form.coName) }}
  <!-- <p><a href=# id="calculate">Click to validate Yelp</a></p> -->
  {{ wtf.form_field(form.revenue) }}
  {{ wtf.form_field(form.profit) }}

  <button type="submit" class="btn btn-primary btn-lg btn-block">Submit</button>

</form>

Whenever I click submit, it goes to a 403 page with the message above... also the error doesn't appear in my error logs, only on the page.

Beloved premium user mritchie712 | 54 posts | Feb. 19, 2015, 2:35 p.m. | permalink

Here are the docs... this works fine on my local environment and I do have this at the top of my flask app.py:

from flask_wtf.csrf import CsrfProtect
CsrfProtect(app)

https://github.com/lepture/flask-wtf/blob/master/docs/csrf.rst

Beloved premium user mritchie712 | 54 posts | Feb. 19, 2015, 3:13 p.m. | permalink

Are you using the same version of Flask locally as on PythonAnywhere?

Staff glenn | 9498 posts | PythonAnywhere staff | Feb. 20, 2015, 11:03 a.m. | permalink

No, I totally was not using the same version, I'm and idiot... thanks! Upgrading to 10.1 fixed the problem!

Beloved premium user mritchie712 | 54 posts | Feb. 20, 2015, 12:23 p.m. | permalink