search

ASKBOT / askbot-devel

Askbot is a Django/Python Q&A forum. **Contributors README**: https://github.com/ASKBOT/askbot-devel#how-to-contribute. Commercial hosting of Askbot and support are available at https://askbot.com
Other
1.56k stars 627 forks source link

Forbidden (403) CSRF verification failed. When converting an answer to comment and back to an answer 0.11.x #847

Open damascene opened 4 years ago

damascene commented 4 years ago

On 0.11.x after I convert an answer to a comment by clicking on the "repost as a question comment" button then I changed my mind and wanted to post it as an answer again by pressing "convert to answer" I got this:

Forbidden (403)

CSRF verification failed. Request aborted.
Help

Reason given for failure:

    CSRF token missing or incorrect.

Peek 2019-09-29 09-49

martin-bts commented 4 years ago

The part of the displayed page that has the "convert to answer"-link is created with javascript, i.e. on the client side. This means the CSRF token is not rendered into the link by Askbot. Instead, javascript reads it directly from the cookie.

I can reproduce your problem by adding CSRF_COOKIE_HTTPONLY = True to my settings.py. According to the fine manual,

If this is set to True, client-side JavaScript will not be able to access the CSRF cookie.

As you apparently can use Askbot, but not that particular function, my best guess is you have that option set. Can you please check if you have that setting? To be sure, can you please also check whether the cookie in your browser, when you reproduce the problem, has http_only set?