First time here? Check out the FAQ!

Create Admin User Error - "CSRF verification failed. Request aborted."

I have installed a version of Askbot on my local machine (Mac OSX). It works fine, except that it won't let me lot into the admin at all, so I cannot create an admin user.

I get the message "CSRF verification failed. Request aborted." when I try to log into admin/create a user profile.

I see previous threads suggest this is due to to mis-configuration of CSRF_COOKIE_DOMAIN in I have set this to 'localhost' -- this obviously is not working.

A separate thread on Django suggested I solve the problem by adding two lines to Middleware section -- this did not work either:

'django.middleware.csrf.CsrfViewMiddleware', 'django.middleware.csrf.CsrfResponseMiddleware',

Any suggestions for me?

Evgeny's avatar
updated 2011-12-06 08:26:56 -0500
william's avatar
asked 2011-12-06 01:02:48 -0500
edit flag offensive 0 remove flag close merge delete


add a comment see more comments

3 Answers


CSRF_COOKIE_NAME = 'localhost_csrf'    

If your server is running at,
Empty string is the answer.


oguma's avatar
answered 2012-03-13 10:39:59 -0500, updated 2012-03-13 10:53:08 -0500
edit flag offensive 0 remove flag delete link


Revisiting an old issue: I was recently testing on G Chrome running on, and getting the "CSRF verification failed" error. Initially, I had /DOMAIN_NAME = 'localhost'/, so I switched to /DOMAIN_NAME = ''/ as you point out, and the error went away. But then I switched back to /DOMAIN_NAME = 'localhost'/, and the error is not there anymore on subsequent server runs. So somewhere it seems there is a bug/feature where DOMAIN_NAME = 'localhost', will not work initially, but will work if the cookie has been set earlier by using the blank domain name (?!).

Basel Shishani's avatar Basel Shishani (2012-06-15 02:10:21 -0500) edit

This solution worked for me.

Cerin's avatar Cerin (2013-05-29 14:29:59 -0500) edit
add a comment see more comments

Please put instead an IP address - the 'localhost' value won't work.

Usually you get '' as the localhost IP address.

Evgeny's avatar
answered 2011-12-06 07:21:49 -0500
edit flag offensive 0 remove flag delete link


I have the same problem. I tried the localhost IP address, but the CSRF error persists. I also tried the ip that my internet provider gives me (dynamic), but no dice.

quesada's avatar quesada (2011-12-11 21:14:16 -0500) edit

For example, you should have: CSRF_COOKIE_DOMAIN = '', without the http:// prefix and without the port number, what is in your file? Of course you need to have either the real IP address or host name, if the host is remote, but for the local host the should work.

Evgeny's avatar Evgeny (2011-12-11 21:18:23 -0500) edit

CSRF_COOKIE_DOMAIN = ''is exactly what I have, but I still get thes CSRF error when a form button is pressed.

quesada's avatar quesada (2011-12-12 13:57:45 -0500) edit

Is that your local computer or a remote server?

Evgeny's avatar Evgeny (2011-12-12 14:01:55 -0500) edit

This is a local computer. Maybe I can use the hosts file to redirect some domain name (say to localhost, and use such domain in the CSRF_ COOKIE _DOMAIN?

quesada's avatar quesada (2011-12-12 15:48:31 -0500) edit
add a comment see more comments

Sorry this is not an answer, but I can't add comments - probably not available for new users.

I'm having the exact same issue on Debian Squeeze. I get it when I follow 'Create a password-protected account' for creating the first (admin) account:

I Installed Askbot (and django) using pip. I tried both localhost and the ip style, and tried everything mentioned above:

  • added 'django.middleware.csrf.CsrfViewMiddleware', 'django.middleware.csrf.CsrfResponseMiddleware',

  • 'django.core.context_processors.csrf' is there.

The CSRF token is there in the form, but I notice there are two of them - is that normal ?!

<form id="signin-form" method="post" action="/account/signin/"><div style='display:none;'>
<input type='hidden' id='csrfmiddlewaretoken' name='csrfmiddlewaretoken' value='0e488724a595cc9099ff83aa7ee2ac27' /></div>
<div style='display:none'>
<input type='hidden' name='csrfmiddlewaretoken' value='0e488724a595cc9099ff83aa7ee2ac27' /></div>
Basel Shishani's avatar
Basel Shishani
answered 2011-12-14 02:28:03 -0500
edit flag offensive 0 remove flag delete link


You need to disable the middleware and leave only the context processor.

Evgeny's avatar Evgeny (2011-12-14 06:16:40 -0500) edit

Same story:Forbidden (403)

CSRF verification failed. Request aborted.

Basel Shishani's avatar Basel Shishani (2011-12-15 10:35:17 -0500) edit

Is this something I need to investigate at Django level? Askbot is not doing anything special with CSRF - right?!

Basel Shishani's avatar Basel Shishani (2011-12-15 10:39:43 -0500) edit

No, if you set up askbot following the instructions - it should work, and test with runserver first. The key is to set the CSRF_COOKIE_DOMAIN correctly. If you still have problems maybe you could let me log in to your server and check? You can also email me your file.

Evgeny's avatar Evgeny (2011-12-15 10:49:16 -0500) edit
add a comment see more comments