csrf token driving me crazy
188 views
Skip to first unread message
Divkis
Jun 21, 2011, 7:17:26 AM6/21/11
to Django users
Hi all,
I am facing some really weird issue with csrf token handling
in django 1.3. Until now I was using 1.2 and my views were working
fine with ajax post requests by setting the X-CSRFToken. I upgraded to
django1.3 and cleared all the cookies in my browser and I see that no
csrktoken cookie is being set and thus breaking my views.
To debug this I looked into django sources and I see that when one my
views is called which is called using post, the csrf token is
generated and put inside request.META['CSRF_COOKIE'] but there are
other static files referred inside the view which are called using GET
but I see that the csrf token is regenerated even for GET calls. Hence
the csrf_token set (using {% csrf_token %}) in one of my templates no
longer matches with what is contained in request.META['CSRF_COOKIE'].
Moreover I tried to use {% csrf_token %} because the csrftoken cookie
is not being found/set in browser cookie.
I am not sure what is causing this. Please help.
In django.middleware.csrf.py: CsrfViewMiddleware: proces_response I
have put the following prints:
def process_response(self, request, response):
if getattr(response, 'csrf_processing_done', False):
return response
print 'CSRF_COOKIE is ', request.META.get('CSRF_COOKIE')
print 'CSRF_COOKIE_USED is ',
request.META.get('CSRF_COOKIE_USED')
print 'CSRF_COOKIE_DOMAIN is ',
request.META.get('CSRF_COOKIE_DOMAIN')
and the output from django development server is :
CSRF_COOKIE is 131b312f5978ae7b80dcebce32a8d71f
CSRF_COOKIE_USED is None
CSRF_COOKIE_DOMAIN is None
[21/Jun/2011 05:50:50] "POST / HTTP/1.1" 200 18881
CSRF_COOKIE is dbba1a4cc2089723019c26d250bcaf22
CSRF_COOKIE_USED is None
CSRF_COOKIE_DOMAIN is None
[21/Jun/2011 05:50:53] "GET /static/css/base.css HTTP/1.1" 200 8527
CSRF_COOKIE is bd14b0b3d4acfc4d5e0581beb6c693af
CSRF_COOKIE_USED is None
CSRF_COOKIE_DOMAIN is None
[21/Jun/2011 05:50:53] "GET /static/css/redmond/jquery-
ui-1.8.10.custom.css HTTP/1.1" 200 34080
CSRF_COOKIE is 6c5b8e37943bb61e494fb619a0a4c4a9
CSRF_COOKIE_USED is None
CSRF_COOKIE_DOMAIN is None
[21/Jun/2011 05:50:53] "GET /static/js/jquery-1.5.1.js HTTP/1.1" 200
216840
CSRF_COOKIE is 3b158fc50ee44bb222b8001301270916
CSRF_COOKIE_USED is None
CSRF_COOKIE_DOMAIN is None
[21/Jun/2011 05:50:54] "GET /static/js/jquery-ui-1.8.10.custom.min.js
HTTP/1.1" 200 207380
CSRF_COOKIE is c9fbacd13a07019d8d656fba079439d4
CSRF_COOKIE_USED is None
CSRF_COOKIE_DOMAIN is None
[21/Jun/2011 05:50:54] "GET /static/js/json.min.js HTTP/1.1" 200 1257
CSRF_COOKIE is 6f9409363d14c7bc565e7f6436650149
CSRF_COOKIE_USED is None
CSRF_COOKIE_DOMAIN is None
[21/Jun/2011 05:50:54] "GET /static/css/prettyPhoto.css HTTP/1.1" 200
27294
CSRF_COOKIE is ff323f081ece38d56734c96b9ecddace
CSRF_COOKIE_USED is None
CSRF_COOKIE_DOMAIN is None
[21/Jun/2011 05:50:54] "GET /static/js/jquery.prettyPhoto.js HTTP/1.1"
200 34052
CSRF_COOKIE is 790fa3e999201cadafcaefe84505dd35
CSRF_COOKIE_USED is None
CSRF_COOKIE_DOMAIN is None
[21/Jun/2011 05:50:54] "GET /static/js/index.js HTTP/1.1" 200 3681
CSRF_COOKIE is c5762ae986e245f6da30879f1df15180
CSRF_COOKIE_USED is None
CSRF_COOKIE_DOMAIN is None
[21/Jun/2011 05:50:54] "GET /static/js/base.js HTTP/1.1" 200 2579
Thanks & Regards,
Divkis01
I am facing some really weird issue with csrf token handling
in django 1.3. Until now I was using 1.2 and my views were working
fine with ajax post requests by setting the X-CSRFToken. I upgraded to
django1.3 and cleared all the cookies in my browser and I see that no
csrktoken cookie is being set and thus breaking my views.
To debug this I looked into django sources and I see that when one my
views is called which is called using post, the csrf token is
generated and put inside request.META['CSRF_COOKIE'] but there are
other static files referred inside the view which are called using GET
but I see that the csrf token is regenerated even for GET calls. Hence
the csrf_token set (using {% csrf_token %}) in one of my templates no
longer matches with what is contained in request.META['CSRF_COOKIE'].
Moreover I tried to use {% csrf_token %} because the csrftoken cookie
is not being found/set in browser cookie.
I am not sure what is causing this. Please help.
In django.middleware.csrf.py: CsrfViewMiddleware: proces_response I
have put the following prints:
def process_response(self, request, response):
if getattr(response, 'csrf_processing_done', False):
return response
print 'CSRF_COOKIE is ', request.META.get('CSRF_COOKIE')
print 'CSRF_COOKIE_USED is ',
request.META.get('CSRF_COOKIE_USED')
print 'CSRF_COOKIE_DOMAIN is ',
request.META.get('CSRF_COOKIE_DOMAIN')
and the output from django development server is :
CSRF_COOKIE is 131b312f5978ae7b80dcebce32a8d71f
CSRF_COOKIE_USED is None
CSRF_COOKIE_DOMAIN is None
[21/Jun/2011 05:50:50] "POST / HTTP/1.1" 200 18881
CSRF_COOKIE is dbba1a4cc2089723019c26d250bcaf22
CSRF_COOKIE_USED is None
CSRF_COOKIE_DOMAIN is None
[21/Jun/2011 05:50:53] "GET /static/css/base.css HTTP/1.1" 200 8527
CSRF_COOKIE is bd14b0b3d4acfc4d5e0581beb6c693af
CSRF_COOKIE_USED is None
CSRF_COOKIE_DOMAIN is None
[21/Jun/2011 05:50:53] "GET /static/css/redmond/jquery-
ui-1.8.10.custom.css HTTP/1.1" 200 34080
CSRF_COOKIE is 6c5b8e37943bb61e494fb619a0a4c4a9
CSRF_COOKIE_USED is None
CSRF_COOKIE_DOMAIN is None
[21/Jun/2011 05:50:53] "GET /static/js/jquery-1.5.1.js HTTP/1.1" 200
216840
CSRF_COOKIE is 3b158fc50ee44bb222b8001301270916
CSRF_COOKIE_USED is None
CSRF_COOKIE_DOMAIN is None
[21/Jun/2011 05:50:54] "GET /static/js/jquery-ui-1.8.10.custom.min.js
HTTP/1.1" 200 207380
CSRF_COOKIE is c9fbacd13a07019d8d656fba079439d4
CSRF_COOKIE_USED is None
CSRF_COOKIE_DOMAIN is None
[21/Jun/2011 05:50:54] "GET /static/js/json.min.js HTTP/1.1" 200 1257
CSRF_COOKIE is 6f9409363d14c7bc565e7f6436650149
CSRF_COOKIE_USED is None
CSRF_COOKIE_DOMAIN is None
[21/Jun/2011 05:50:54] "GET /static/css/prettyPhoto.css HTTP/1.1" 200
27294
CSRF_COOKIE is ff323f081ece38d56734c96b9ecddace
CSRF_COOKIE_USED is None
CSRF_COOKIE_DOMAIN is None
[21/Jun/2011 05:50:54] "GET /static/js/jquery.prettyPhoto.js HTTP/1.1"
200 34052
CSRF_COOKIE is 790fa3e999201cadafcaefe84505dd35
CSRF_COOKIE_USED is None
CSRF_COOKIE_DOMAIN is None
[21/Jun/2011 05:50:54] "GET /static/js/index.js HTTP/1.1" 200 3681
CSRF_COOKIE is c5762ae986e245f6da30879f1df15180
CSRF_COOKIE_USED is None
CSRF_COOKIE_DOMAIN is None
[21/Jun/2011 05:50:54] "GET /static/js/base.js HTTP/1.1" 200 2579
Thanks & Regards,
Divkis01
Daniel Roseman
Jun 21, 2011, 7:54:56 AM6/21/11
to django...@googlegroups.com
On Tuesday, 21 June 2011 12:17:26 UTC+1, Divkis wrote:
Hi all,
I am facing some really weird issue with csrf token handling
in django 1.3. Until now I was using 1.2 and my views were working
fine with ajax post requests by setting the X-CSRFToken. I upgraded to
django1.3 and cleared all the cookies in my browser and I see that no
csrktoken cookie is being set and thus breaking my views.
To debug this I looked into django sources and I see that when one my
views is called which is called using post, the csrf token is
generated and put inside request.META['CSRF_COOKIE'] but there are
other static files referred inside the view which are called using GET
but I see that the csrf token is regenerated even for GET calls. Hence
the csrf_token set (using {% csrf_token %}) in one of my templates no
longer matches with what is contained in request.META['CSRF_COOKIE'].
Moreover I tried to use {% csrf_token %} because the csrftoken cookie
is not being found/set in browser cookie.
I am not sure what is causing this. Please help.
When you upgrade versions, you should always be sure to read the release notes. In this case, the notes point out that there has a been a backwards-incompatible change on CSRF in Ajax requests, and points to the updated documentation, which you should read, as it explains exactly how to get a CSRF token for use in Ajax.
--
DR.
Divkis
Jun 21, 2011, 8:28:55 AM6/21/11
to Django users
that seems to point to backward incompatible change w.r.t. 1.2. May be
I have overlooked something. Please point me to the right section in
the documentation.
Moreover it does not explain that why a GET request seems to change
the request.META['CSRF_COOKIE'].
Thanks & Regards,
DivKis01
Divkis
Jun 22, 2011, 12:20:52 AM6/22/11
to Django users
Is there no one who has had similar problem with django1.3? Could
anyone please help me on this? I have almost hit a dead on this one.
Thanks & Regards,
Divkis01
anyone please help me on this? I have almost hit a dead on this one.
Thanks & Regards,
Divkis01
Kevin Renskers
Jun 22, 2011, 3:59:33 AM6/22/11
to django...@googlegroups.com
The documentation about CSRF and AJAX was already linked: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax
The note about backwards incompatibility can be found here: https://docs.djangoproject.com/en/1.3/releases/1.3/#csrf-validation-now-applies-to-ajax-requests
Reply all
Reply to author
Forward
0 new messages