How to use curl with Django, csrf tokens and POST requests

Trindaz picture Trindaz · May 17, 2012 · Viewed 58.4k times · Source

I'm using curl to test one of my Django forms. The calls I've tried (with errors from each, and over multiple lines for readability):

(1):

curl
-d "{\"email\":\"[email protected]\"}"
--header "X-CSRFToken: [triple checked value from the source code of a page I already loaded from my Django app]"
--cookie "csrftoken=[same csrf value as above]"
http://127.0.0.1:8083/registrations/register/

(with http header and csrftoken in cookie) results in a 400 error with no data returned.

(2):

curl
-d "{a:1}"
--header "X-CSRFToken:[as above]"
--cookie "csrftoken=[as above];sessionid=[from header inspection in Chrome]"
http://127.0.0.1:8083/registrations/register/

(as in (1) but no spaces in header property declaration, and with sessionid in cookie too) results in the same 400 error with no data returned.

(3):

curl
-d "{a:1}"
--header "X-CSRFToken:[as above]"
http://127.0.0.1:8083/registrations/register/

(only http header with X-CSRFToken, no cookie) results in error code 403, with message: CSRF cookie not set.

How can I test my form with curl? What factors am I not considering besides cookie values and http headers?

Answer

Kevin S. picture Kevin S. · Sep 12, 2013

A mixture of Damien's response and your example number 2 worked for me. I used a simple login page to test, I expect that your registration view is similar. Damien's response almost works, but is missing the sessionid cookie.

I recommend a more robust approach. Rather than manually entering the cookies from other requests, try using curl's built in cookie management system to simulate a complete user interaction. That way, you reduce the chance of making an error:

$ curl -v -c cookies.txt -b cookies.txt host.com/registrations/register/
$ curl -v -c cookies.txt -b cookies.txt -d "[email protected]&a=1&csrfmiddlewaretoken=<token from cookies.txt>" host.com/registrations/register/

The first curl simulates the user first arriving at the page with a GET request, and all the necessary cookies are saved. The second curl simulates filling in the form fields and sending them as a POST. Note that you have to include the csrfmiddlewaretoken field in the POST data, as suggested by Damien.