CSRF with AJAX problem
26 views
Skip to first unread message
galgal
Sep 29, 2011, 7:23:03 PM9/29/11
to django...@googlegroups.com
I have a problem/bug found? in AJAX with CSRF. I don't use {% csrf_token %} at all. I use only AJAX forms so - there is no cookie set for csrf. In taht case - https://docs.djangoproject.com/en/1.3/ref/contrib/csrf/#ajax is useless :(
I can use get_token to generate it, but I have to put it in all my sites so it has no sense.
How can I make that cookie without using csrf tag?
Javier Guerra Giraldez
Sep 29, 2011, 8:10:12 PM9/29/11
to django...@googlegroups.com
On Thu, Sep 29, 2011 at 6:23 PM, galgal <weglare...@gmail.com> wrote:
> How can I make that cookie without using csrf tag?
> How can I make that cookie without using csrf tag?
right there in the code sample you quoted:
xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
where getCookie() is defined as:
function getCookie(name) { var cookieValue = null;
if (document.cookie && document.cookie != '') { var cookies
= document.cookie.split(';'); for (var i = 0; i <
cookies.length; i++) { var cookie =
jQuery.trim(cookies[i]); // Does this cookie string
begin with the name we want? if (cookie.substring(0,
name.length + 1) == (name + '=')) { cookieValue =
decodeURIComponent(cookie.substring(name.length + 1));
break; } } } return
cookieValue; }
--
Javier
galgal
Sep 29, 2011, 8:15:53 PM9/29/11
to django...@googlegroups.com
Yes, but that JavaScript code is useless until {% csrf_token %} or get_token is used. I don't use POST forms - only AJAX forms so I don't have that cookie made after page load.
Javier Guerra Giraldez
Sep 29, 2011, 8:17:33 PM9/29/11
to django...@googlegroups.com
have you read it?
--
Javier
galgal
Sep 29, 2011, 8:30:58 PM9/29/11
to django...@googlegroups.com
Yes I have. It returns null if no cookie.
Kenneth Love
Sep 30, 2011, 11:46:46 AM9/30/11
to Django users
You're using AJAX and forms incorrectly, then. Any form that has a
solid effect on your database (creating, replacing, or deleting data)
should be POSTed and should have CSRF token.
Look into pydanny's django-uni-form project (http://readthedocs.org/
docs/dango-uni-form/en/latest/) for creating your forms. It'll create
the CSRF token for you if you set the form method to POST (again, as
it should be). Then, in your AJAX function that submits the form,
submit the key & value of the CSRF token field to the endpoint. Now
you have AJAX forms that are still safe and sane.
solid effect on your database (creating, replacing, or deleting data)
should be POSTed and should have CSRF token.
Look into pydanny's django-uni-form project (http://readthedocs.org/
docs/dango-uni-form/en/latest/) for creating your forms. It'll create
the CSRF token for you if you set the form method to POST (again, as
it should be). Then, in your AJAX function that submits the form,
submit the key & value of the CSRF token field to the endpoint. Now
you have AJAX forms that are still safe and sane.
Yaşar Arabacı
Sep 30, 2011, 3:22:11 PM9/30/11
to django...@googlegroups.com
To create csrf cookie without using csrf tag, your view needs to be decorated with django.views.decorators.csrf.ensure_csrf_cookie. Also check: https://code.djangoproject.com/ticket/16936
--
http://yasar.serveblog.net/
2011/9/30 Kenneth Love <kenne...@gmail.com>
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django...@googlegroups.com.
To unsubscribe from this group, send email to django-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
http://yasar.serveblog.net/
Reply all
Reply to author
Forward
0 new messages