Javascript requests after user login
61 views
Skip to first unread message
Sarfraz Nawaz
Sep 9, 2014, 5:29:32 PM9/9/14
to django...@googlegroups.com
Hello everyone,
Django newbie here, so please forgive me if this has been asked before but I haven't been able to find it.
I am using django-registration with Django 1.6 and I can register a user, log a user in and out fine using /accounts/login and /accounts/logout urls. After the user logs in, he is redirected to a url which serves a page with a javascript (qooxdoo app) based GUI. This app requests a Django view (issuing a GET) that requires an authenticated user and returns a forbidden 403 for unauthenticated users. The problem is that I keep getting forbidden 403. Having looked around it seems that it is because this request does not include the sessionid cookie which is an http only cookie. I know it is possible to change that in Django settings but it sounds unappealing.
So what is the correct way for javascript to request protected views from Django after user authentication?
Thanks
Collin Anderson
Sep 9, 2014, 10:11:07 PM9/9/14
to django...@googlegroups.com
So the app is issuing a GET (not POST) via ajax on the same domain as the sessionid cookie, and the view is returning a 403 because the user is not logged in?
If the app is in the same domain as the cookie, the the ajax request will include the cookie, even if it's a http-only (non-javascript) cookie.
If you print request.COOKIES in the view, does it really not have sessionid?
Javier Guerra Giraldez
Sep 9, 2014, 11:20:28 PM9/9/14
to django...@googlegroups.com
On Tue, Sep 9, 2014 at 4:29 PM, Sarfraz Nawaz <sar...@gmail.com> wrote:
> The problem is that I keep getting forbidden 403. Having looked around it
> seems that it is because this request does not include the sessionid cookie
> which is an http only cookie.
have you checked the response content? more likely is that you're
> The problem is that I keep getting forbidden 403. Having looked around it
> seems that it is because this request does not include the sessionid cookie
> which is an http only cookie.
missing the csrf token [1]. (happens to me at least twice for each
ajax-enable webapp i write)
[1] https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax
--
Javier
Sarfraz Nawaz
Sep 10, 2014, 11:08:31 AM9/10/14
to django...@googlegroups.com
Thanks Collin for the tip. I printed out the cookies and can see both csrf and sessionid cookies, turns out the problem was with my qooxdoo code. All fixed now but thanks I was not sure if sessionid is sent out automatically by the browser when within the same domain.
Reply all
Reply to author
Forward
0 new messages