webfaction/django site: Android browser triggers csrf verification error

Dear All

I'm developing a django site that I'd like to be accessible from mobile devices. The site is behaving as expecting with desktop browsers (Chrome, Firefox, Safari) and with iPhone and BlackBerry browsers. The Android browser is behaving strangely.

Symptom:

The site has a very simple login page containing a form with username, password and the {% csrf_token %} tag. When trying to login from the Android phone browser, the page returns the "CRSF verification failed" error page (django running debug=True for the moment). However, the user has been logged in: on reloading the page, I get the page I was expecting, along with the user details.

So:

http://eg.com/login/ # ok, enter username "tu01", password, send
http://eg.com/profile/ # error: csrf verification failed, reload
http://eg.com/profile/ # ok, "tu01"'s homepage

Context:

I've tried this with django 1.2.7 and django 1.3;
The site is running on webfaction;
I've tested with another django site, running on a "real" server (physical machine with centos, nginx, etc), with similar login/csrf, and the Android browser works properly.

I can't think what can be the problem. Has anyone else had similar experiences with django's csrf protection, the Android browser and/or webfaction? Can anyone offer any clues?

With thanks and best wishes

Ivan

asked Oct 20 '11 at 05:32

ivan_llaisdy
1●1

Does this only happen with the stock browser for Android or with other third-party browsers like Dolphin too?

(Oct 20 '11 at 21:56) neeravk ♦♦

3 Answers:

oldest newest most voted

Dear neeravk,

Thank you for your comment. That's a good question ...

Ha! I installed Opera Mini and the site works fine! The error effect only happens with the stock browser!

Thanks very much. Do you know what is up with the stock Android browser? Is it based on an old version of IE? Eventually I'm going to have to cope with it.

Best wishes

Ivan

answered Oct 21 '11 at 03:09

ivan_llaisdy
1●1

Hi Ivan,

Both Froyo and Honeycomb versions use the WebKit engine for their browser, so it's probably a bug.

You could search here if such a bug exists and if not, you could as well report it.

(Oct 21 '11 at 03:29) iliasr ♦♦

I am not sure if Opera Mini can be compared with Android browser since Opera Mini renders the page on Opera servers before sending to the phone as far as I know while Android browser renders it on the phone itself.

Can you tell us what version of Android you are using?

As Ilias stated above, reporting it to the Android bug tracker seems like the best option

(Oct 21 '11 at 03:38) neeravk ♦♦

Can you also check if the Android browser is actually setting the csrftoken cookie or not?

(Oct 21 '11 at 03:47) neeravk ♦♦

0	Dear All, thanks for your comments. I have to go offline for a few days. I'll respond properly on Tuesday. Best wishes, Ivan answered Oct 21 '11 at 15:31 ivan_llaisdy 1●1

Dear iliasr, neeravk,

Thanks for your help. For now, I've decided to concentrate on the iPhone client, as the webview behaves itself and other parts of development are smoother as well. If/when I come back and solve this I'll post a summary here.

Best wishes

Ivan

answered Oct 25 '11 at 08:28

ivan_llaisdy
1●1

Your answer

If you have an answer to the above question, then use the form below. Otherwise, use the appropriate 'add new comment' button above to post your feedback.

toggle preview

community wiki

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

django ×641
webfaction ×73
csrf ×5
android ×2

Asked: Oct 20 '11 at 05:32

Seen: 1,132 times

Last updated: Oct 25 '11 at 08:28

webfaction/django site: Android browser triggers csrf verification error

Follow this question

Got questions? We have answers!

Related questions