How to use curl with Django, csrf tokens and POST requests

django curl django-forms csrf django-csrf
Trindaz picture Trindaz · May 17, 2012 · Viewed 58.4k times · Source

I'm using curl to test one of my Django forms. The calls I've tried (with errors from each, and over multiple lines for readability):

(1):

curl
-d "{\"email\":\"[email protected]\"}"
--header "X-CSRFToken: [triple checked value from the source code of a page I already loaded from my Django app]"
--cookie "csrftoken=[same csrf value as above]"
http://127.0.0.1:8083/registrations/register/

(with http header and csrftoken in cookie) results in a 400 error with no data returned.

(2):

curl
-d "{a:1}"
--header "X-CSRFToken:[as above]"
--cookie "csrftoken=[as above];sessionid=[from header inspection in Chrome]"
http://127.0.0.1:8083/registrations/register/

(as in (1) but no spaces in header property declaration, and with sessionid in cookie too) results in the same 400 error with no data returned.

(3):

curl
-d "{a:1}"
--header "X-CSRFToken:[as above]"
http://127.0.0.1:8083/registrations/register/

(only http header with X-CSRFToken, no cookie) results in error code 403, with message: CSRF cookie not set.

How can I test my form with curl? What factors am I not considering besides cookie values and http headers?

Answer

Kevin S. picture Kevin S. · Sep 12, 2013

A mixture of Damien's response and your example number 2 worked for me. I used a simple login page to test, I expect that your registration view is similar. Damien's response almost works, but is missing the sessionid cookie.

I recommend a more robust approach. Rather than manually entering the cookies from other requests, try using curl's built in cookie management system to simulate a complete user interaction. That way, you reduce the chance of making an error:

$ curl -v -c cookies.txt -b cookies.txt host.com/registrations/register/
$ curl -v -c cookies.txt -b cookies.txt -d "[email protected]&a=1&csrfmiddlewaretoken=<token from cookies.txt>" host.com/registrations/register/

The first curl simulates the user first arriving at the page with a GET request, and all the necessary cookies are saved. The second curl simulates filling in the form fields and sending them as a POST. Note that you have to include the csrfmiddlewaretoken field in the POST data, as suggested by Damien.

Related questions

Django returning HTTP 301?

I have a django view that returns HTTP 301 on a curl request: grapefruit:~ pete$ curl -I http://someurl HTTP/1.1 301 MOVED PERMANENTLY Date: Fri, 16 Oct 2009 19:01:08 GMT Server: Apache/2.2.9 (Win32) mod_wsgi/2.5 Python/2.6.2 PHP/5.2.6 Location: http://someurl Content-Type: text/html; charset=utf-8 …

Read More
appending multiple querystring variables with curl

I keep getting a 401 response when I try to use authentication = ApiKeyAuthentication() in my ModelResource. I looked at Django Tastypie: How to Authenticate with API Key and he uses the get parameters to solve his issue. If I try use …

Read More
Using "Content-Type:application/json" to post in curl gives HTTP/1.1 400 BAD REQUEST

When I make a post request using the following curl -i -d "username=rock&password=rock" http://my_VM_IP/api/1.1/json/my_login/ it generates the required response generating a token like this(abridged): HTTP/1.1 200 OK Date: Mon, 22 …

Read More