Deployed my project on AWS lightsail, CSRF verification failed when tried to log in my project

Keywords: Django - AWS - Technical issue - Application configuration

bnsupport ID: 158e5634-87f8-8e66-9057-b45763b5420e

bndiagnostic output:

? Apache: Found possible issues
https://docs.bitnami.com/general/apps/wordpress/troubleshooting/debug-errors-apache/
https://docs.bitnami.com/bch/apps/moodle/troubleshooting/deny-connections-bots-apache/

bndiagnostic failure reason: I do not know how to perform the changes explained in the documentation

Description:
Hi, thanks for solving my previous issue, it was fast and definitely helpful.
Sorry I got another problem right away.
I deployed my web project on /opt/bitnami/projects/mysite successfully, and it runs perfectly

However, when I try to log in to an account on my website, the CSRF verification error popped up.
The error shows the following message.

 [Sun Aug 22 03:10:03.764813 2021] [wsgi:error] [pid 15324] [client 
**ip_address**:52804] Forbidden (CSRF cookie not set.): /members/login/

And on the web browser, there is also a Forbidden (403) error page pops up
here is what shows on the browser.

CSRF verification failed. Request aborted.

You are seeing this message because this site requires a CSRF cookie when submitting forms. This cookie is required for security reasons, to ensure that your browser is not being hijacked by third parties.

If you have configured your browser to disable cookies, please re-enable them, at least for this site, or for “same-origin” requests.

Reason given for failure:

    CSRF cookie not set.
    
In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django's CSRF mechanism has not been used correctly. For POST forms, you need to ensure:

Your browser is accepting cookies.
The view function passes a request to the template's render method.
In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.
If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as well as those that accept the POST data.
The form has a valid CSRF token. After logging in in another browser tab or hitting the back button after a login, you may need to reload the page with the form, because the token is rotated after a login.
You're seeing the help section of this page because you have DEBUG = True in your Django settings file. Change that to False, and only the initial error message will be displayed.

You can customize this page using the CSRF_FAILURE_VIEW setting.

Possible solutions I have tried
I tried to make sure all of my templates have {% csrf_token %} on every POST method form. However, the error still pops up.
I’m wondering if there is a way to disable the csrf verification? Originially, I tried to comment out

# 'django.middleware.csrf.CsrfViewMiddleware',

in setting.py. And that’s what I did when I deploy my project in PythonAnywhere Hosting. It works normally and no errors pop.
However, even though I comment out csrf , in AWS lightsail, I still got the CSRF verification failed error.

If I can disable the csrf in bitnami’s apache host, that’s would be definitely the easiest solution I can get.
( my website is just a simple site which I don’t think I need csrf )

Some extra informations. Project is called mysite and there is application called members to manage the login and registration
I’m using the Django built-in jango.contrib.auth.urls to set up the urls.py
So I don’t need to set up the view.py, I just need to modify the login.html in the template folder.

path('members/', include('django.contrib.auth.urls')),

so my login page url is *members/login/ *

Here is the code of my login page. not too long

{% load static %}
<!DOCTYPE html>
<html lang="en">

<head>

  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
  <meta name="description" content="">
  <meta name="author" content="">

  <title>Django SB Admin - Login</title>

  <!-- Custom fonts for this template-->
  <link href="{% static "vendor/fontawesome-free/css/all.min.css" %}" rel="stylesheet" type="text/css">

  <!-- Custom styles for this template-->
  <link href="{% static "css/sb-admin.css" %}" rel="stylesheet">

</head>

<body class="bg-dark">

  <div class="container">
    <div class="card card-login mx-auto mt-5">
      <div class="card-header">Login</div>
      <div class="card-body">
        <form method="POST">
            {% csrf_token %}
            {{ form.as_p}}
            <button class = "btn btn-primary">Login</button>
        </form>
        <div class="text-center">
<!--          <a class="d-block small mt-3" href="{% url "register" %}">Register an Account</a>-->
<!--          <a class="d-block small" href="{% url "sb_admin_forgot_password" %}">Forgot Password?</a>-->
        </div>
      </div>
    </div>
  </div>

  <!-- Bootstrap core JavaScript-->
  <script src="{% static "vendor/jquery/jquery.min.js" %}"></script>
  <script src="{% static "vendor/bootstrap/js/bootstrap.bundle.min.js" %}"></script>

  <!-- Core plugin JavaScript-->
  <script src="{% static "vendor/jquery-easing/jquery.easing.min.js" %}"></script>

</body>

</html>

Hi @yifei_chen

Thanks for using Bitnami. Unfortunately, I don’t have enough knowledge about this error in Django or how to solve it. To me, this seems to be something specific to Django itself. Can you check if any of the suggestions in the next link are of help?

https://stackoverflow.com/questions/48468640/django-posts-receive-csrf-verification-failed-after-switching-to-load-balancer

1 Like

Thanks for the quick reply.
And your suggestions from that URL are definitely helpful.
I got a more detailed information about the error

# OperationalError at /members/login/

attempt to write a readonly database

|Request Method:|POST|
| --- | --- |
|Request URL:|http://18.180.7.17/members/login/|
|Django Version:|3.1.6|
|Exception Type:|OperationalError|
|Exception Value:|attempt to write a readonly database|
|Exception Location:|/opt/bitnami/python/lib/python3.8/site-packages/django/db/backends/sqlite3/base.py, line 413, in execute|
|Python Executable:|/opt/bitnami/python/bin/python3|
|Python Version:|3.8.7|
|Python Path:|['/opt/bitnami/python/lib/python38.zip', '/opt/bitnami/python/lib/python3.8', '/opt/bitnami/python/lib/python3.8/lib-dynload', '/opt/bitnami/python/lib/python3.8/site-packages', '/opt/bitnami/python/lib/python3.8/site-packages/setuptools-46.4.0-py3.8.egg', '/opt/bitnami/python/lib/python3.8/site-packages/pip-20.3.4-py3.8.egg', '/opt/bitnami/python/lib/python3.8/site-packages/virtualenv-20.4.2-py3.8.egg', '/opt/bitnami/python/lib/python3.8/site-packages/six-1.15.0-py3.8.egg', '/opt/bitnami/python/lib/python3.8/site-packages/filelock-3.0.12-py3.8.egg', '/opt/bitnami/python/lib/python3.8/site-packages/distlib-0.3.1-py3.8.egg', '/opt/bitnami/python/lib/python3.8/site-packages/appdirs-1.4.4-py3.8.egg', '/opt/bitnami/projects/mysite']|
|Server time:|Wed, 25 Aug 2021 01:23:49 +0900|

I think the problem happens because my website doesn’t have permission to WRITE the database file.
My database file is db.sqlite3 in the project folder.
However, after some attempts to add the permission to the database file and the folder. I still got the same error.
Any help to guide me on how set the appropriate permission to the databases file would be highly appreciated!
My current permission info of the projects folder and files

drwxr-xr-x  5 bitnami root    4096 Aug 21 18:06 projects
     |---    drwxr-xr-x 12 bitnami bitnami 4096 Aug 21 18:09 mysite
            |---   drwxr-xr-x  2 bitnami bitnami   4096 Aug 21 18:06 conf
                    -rwxr-xr-x  1 bitnami bitnami 438272 Aug 21 18:06 db.sqlite3
                    drwxr-xr-x  8 bitnami bitnami   4096 Aug 21 18:09 django_sb_admin
                    drwxr-xr-x  5 bitnami bitnami   4096 Aug 21 18:06 django_sb_admin-b
                    -rw-r--r--  1 bitnami bitnami    684 Aug 21 18:06 manage.py
                    drwxr-xr-x  6 bitnami bitnami   4096 Aug 21 18:09 members
                    drwxr-xr-x  4 bitnami bitnami   4096 Aug 21 18:09 mysite
                    drwxr-xr-x  6 bitnami bitnami   4096 Aug 21 18:06 polls
                    drwxr-xr-x  3 bitnami bitnami   4096 Aug 21 18:06 scripts
                    drwxr-xr-x 11 bitnami bitnami   4096 Aug 21 18:09 static
                    drwxr-xr-x  4 bitnami bitnami   4096 Aug 21 18:09 wx

@gongomgra check my above new reply. any suggestion of how to change the file permission would be appreciated!

A little bit more information about the error !

Environment:


Request Method: POST
Request URL: http://18.180.7.17/members/login/

Django Version: 3.1.6
Python Version: 3.8.7
Installed Applications:
['django_sb_admin.apps.DjangoSbAdminConfig',
 'django_extensions',
 'django.contrib.admin',
 'django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'rest_framework',
 'wx.apps.WxConfig',
 'members']
Installed Middleware:
['django.middleware.security.SecurityMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware']



Traceback (most recent call last):
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/db/backends/utils.py", line 84, in _execute
    return self.cursor.execute(sql, params)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/db/backends/sqlite3/base.py", line 413, in execute
    return Database.Cursor.execute(self, query, params)

The above exception (attempt to write a readonly database) was the direct cause of the following exception:
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/core/handlers/exception.py", line 47, in inner
    response = get_response(request)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/core/handlers/base.py", line 181, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/views/generic/base.py", line 70, in view
    return self.dispatch(request, *args, **kwargs)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/utils/decorators.py", line 43, in _wrapper
    return bound_method(*args, **kwargs)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/views/decorators/debug.py", line 89, in sensitive_post_parameters_wrapper
    return view(request, *args, **kwargs)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/utils/decorators.py", line 43, in _wrapper
    return bound_method(*args, **kwargs)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/utils/decorators.py", line 130, in _wrapped_view
    response = view_func(request, *args, **kwargs)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/utils/decorators.py", line 43, in _wrapper
    return bound_method(*args, **kwargs)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/contrib/auth/views.py", line 63, in dispatch
    return super().dispatch(request, *args, **kwargs)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/views/generic/base.py", line 98, in dispatch
    return handler(request, *args, **kwargs)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/views/generic/edit.py", line 141, in post
    if form.is_valid():
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/forms/forms.py", line 177, in is_valid
    return self.is_bound and not self.errors
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/forms/forms.py", line 172, in errors
    self.full_clean()
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/forms/forms.py", line 375, in full_clean
    self._clean_form()
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/forms/forms.py", line 402, in _clean_form
    cleaned_data = self.clean()
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/contrib/auth/forms.py", line 215, in clean
    self.user_cache = authenticate(self.request, username=username, password=password)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/contrib/auth/__init__.py", line 73, in authenticate
    user = backend.authenticate(request, **credentials)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/contrib/auth/backends.py", line 48, in authenticate
    if user.check_password(password) and self.user_can_authenticate(user):
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/contrib/auth/base_user.py", line 112, in check_password
    return check_password(raw_password, self.password, setter)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/contrib/auth/hashers.py", line 60, in check_password
    setter(password)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/contrib/auth/base_user.py", line 111, in setter
    self.save(update_fields=["password"])
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/contrib/auth/base_user.py", line 67, in save
    super().save(*args, **kwargs)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/db/models/base.py", line 753, in save
    self.save_base(using=using, force_insert=force_insert,
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/db/models/base.py", line 790, in save_base
    updated = self._save_table(
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/db/models/base.py", line 872, in _save_table
    updated = self._do_update(base_qs, using, pk_val, values, update_fields,
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/db/models/base.py", line 926, in _do_update
    return filtered._update(values) > 0
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/db/models/query.py", line 803, in _update
    return query.get_compiler(self.db).execute_sql(CURSOR)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/db/models/sql/compiler.py", line 1522, in execute_sql
    cursor = super().execute_sql(result_type)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/db/models/sql/compiler.py", line 1156, in execute_sql
    cursor.execute(sql, params)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/db/backends/utils.py", line 98, in execute
    return super().execute(sql, params)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/db/backends/utils.py", line 66, in execute
    return self._execute_with_wrappers(sql, params, many=False, executor=self._execute)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/db/backends/utils.py", line 75, in _execute_with_wrappers
    return executor(sql, params, many, context)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/db/backends/utils.py", line 84, in _execute
    return self.cursor.execute(sql, params)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/db/utils.py", line 90, in __exit__
    raise dj_exc_value.with_traceback(traceback) from exc_value
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/db/backends/utils.py", line 84, in _execute
    return self.cursor.execute(sql, params)
  File "/opt/bitnami/python/lib/python3.8/site-packages/django/db/backends/sqlite3/base.py", line 413, in execute
    return Database.Cursor.execute(self, query, params)

Exception Type: OperationalError at /members/login/
Exception Value: attempt to write a readonly database

Full error description you can check my error copy here
https://dpaste.com/5HT2EHQBN

Hi @yifei_chen,

Thanks for the info. Can you try to set the permissions to bitnami:daemon? Apache is run by the daemon user and group

sudo chown -R bitnami:daemon projects/mysite
sudo find projects/mysite -type d -exec chmod 775 "{}" ";"
sudo find projects/mysite -type f -exec chmod 644 "{}" ";"

If letting Apache to only read your files is too restrictive, you can use 664 in the last command to also enable the write bit for your files

1 Like

Thanks for the reply!
I tried to change the permission both based on your guide and bitnami document of permission issue.
It ends up when I access my website through the static ID - http://18.180.7.17/ , I can login my account smoothly. This is cool. This URL is not secured, just HTTP.
However, if I access my website through https://d1immde5nhqfqu.cloudfront.net/ , this is my default HTTPS domain provided by AWS lightsail distribution. I still got the previous CSRF error.

my current projects/mysite permission is owned by daemon:daemon,
and directory permission is 775, files are 664

 [Sat Aug 28 04:39:55.600324 2021] [wsgi:error] [pid 31658] [client 
**ip_address**:4612] Forbidden (CSRF cookie not set.): /members/login/
 [Sat Aug 28 04:40:40.925769 2021] [wsgi:error] [pid 31655] [client 
**ip_address**:44700] Forbidden (CSRF cookie not set.): /members/login/

I guess probably there is something wrong with my WSGI settings? since the error only happens when I access my website through the HTTPS domain, or probably there is still some permission problems with my Apache setting.

I think I’m going to try to reinstall my instance completely and redo the WSGI settings and deploy the website again to see if it could solve the problem.

Any tip or suggestion would be highly appreciated.

Hi @yifei_chen,

Thanks for your message. Unfortunately, I don’t know what can be causing your issue. Can you try to disable CloudFront temporary and navigate to your website? Remember to clean any cookie related to this from your browser. If the issue is salved, then I think you are having issues with CloudFront. In that case, please check the official docs about this.

I also found an StackOverflow topic related to this, I’m sharing it here in case it is of help for you

https://stackoverflow.com/questions/48865338/aws-cloudfront-causing-csrf-token-mismatch-exception/48868163

1 Like

@gongomgra Absolutely Amazing!
This is exactly what caused my problem.
I cannot believe this is just a simple setting problem of Cloudfront distribution.
Oh my, cloudfront is the stupidest distribution I have ever used. :joy:
Let me share how I fixed my problem specifically for AWS ligthsail.

Go to the ligthsail management webpage -> Networking -> Distribution control panel -> Cache
Scroll down and you will see Advanced cache settings
click forward cookies setting, change it to forward all cookies

Problem solved ! Big thanks gongmogra !

Hi @yifei_chen,

Thanks for the info. I’m glad you fixed your issue! We will close this thread as solved. Please do not hesitate to open a new one with any other questions you may have.

1 Like