instance delete fails with: 403 Forbidden - CSRF verification failed
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Dashboard (Horizon) |
Fix Released
|
Critical
|
Unassigned | ||
Bug Description
Behavior is that an instance deletion from /project/instances is failing.
The error returned is: 403 Forbidden - CSRF verification failed
This was noted in #openstack-horizon by zigo on 2017-05-12.
OpenStack Release was stated to be Newton, on Debian.
Below are the steps to reproduce from the original bug report.
The information is pulled from (replicated) Debian bugs:
- https:/
----
Instance delete fails when I access:
http://
and select "Delete Instance" from the list of actions with
the error:
Forbidden (403)
CSRF verification failed. Request aborted.
Help
Reason given for failure:
CSRF token missing or incorrect.
while I see the csrftoken being sent in the request:
csrftoken: tMhcr99nId798AX
Apache error.log just reports the same thing:
Forbidden (CSRF token missing or incorrect.): /horizon/
Deleting the instance works if I enter the instance first:
http://
and than select "Delete Instance" from the list of actions.
The same issue exists when deleting volumes from:
http://
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64
(x86_64)
Kernel: Linux 4.9.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/
Versions of packages openstack-dashboard depends on:
ii adduser 3.115
ii libjs-jquery 3.1.1-2
ii libjs-jquery-cookie 11-3
ii python-
pn python:any <none>
openstack-dashboard recommends no packages.
Versions of packages openstack-dashboard suggests:
ii memcached 1.4.33-1
ii openstack-
-- no debconf information
| Andrew Lenards (lenards) wrote | #1 |
| Changed in horizon: | |
| status: | New → Confirmed |
| importance: | Undecided → Critical |
| assignee: | nobody → Rob Cresswell (robcresswell) |
| milestone: | none → pike-2 |
| Rob Cresswell (robcresswell-deactivatedaccount) wrote | #2 |
| Rob Cresswell (robcresswell-deactivatedaccount) wrote | #3 |
| Changed in horizon: | |
| milestone: | pike-2 → pike-3 |
| Rob Cresswell (robcresswell-deactivatedaccount) wrote | #4 |
| Changed in horizon: | |
| status: | Confirmed → Fix Released |
Adding some context to this from the IRC channel ...
The version of Django is 1.10.
Some things to consider here is that this is Newton because of the installation coming from the Debian package universe.
Debian Stretch (version codename) was frozen prior to the Ocata release.
There is a request for Netwon to support Django 1.10 because of the situation noted here.
This is a summary of a conversation in IRC between zigo and robcresswall.