Unable to add CSRF token to the header
28 views
Skip to first unread message
Subodh Nijsure
Jun 22, 2014, 10:56:30 PM6/22/14
to django...@googlegroups.com
[ Sorry this is duplicate as I posted previous messages without Subject: !! ]
I have following ajax query that gets generated from my template.
This is done after user has logged into the system. One thing I have
noticed is very first GET request always prompts a dialog box that
asks users to login with username and password. I have done
console.log and csrf_token is non-null when this dialog is shown. Does
anybody have idea why this happens on all subsequnt reloads of this
page I never get prompted to enter username & password.
$.ajax({
type: "GET",
withCredentials: true,
async: false,
url: "/api/v1/myurl/",
data: {
csrfmiddlewaretoken: '{{ csrf_token }}'
},
success: function( json) {
});
It was suggested to me that I should follow this and make sure that
csrf token is present in the header.
https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax
I have made sure that in my javascript I have recommended code that
set the Requestheader but that doesn't help!
Can anyone help me with this?
-Subodh
I have following ajax query that gets generated from my template.
This is done after user has logged into the system. One thing I have
noticed is very first GET request always prompts a dialog box that
asks users to login with username and password. I have done
console.log and csrf_token is non-null when this dialog is shown. Does
anybody have idea why this happens on all subsequnt reloads of this
page I never get prompted to enter username & password.
$.ajax({
type: "GET",
withCredentials: true,
async: false,
url: "/api/v1/myurl/",
data: {
csrfmiddlewaretoken: '{{ csrf_token }}'
},
success: function( json) {
});
It was suggested to me that I should follow this and make sure that
csrf token is present in the header.
https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax
I have made sure that in my javascript I have recommended code that
set the Requestheader but that doesn't help!
Can anyone help me with this?
-Subodh
Roman Klesel
Jun 26, 2014, 2:39:57 PM6/26/14
to django...@googlegroups.com
Hello,
I'm not quite sure what you are trying to do, but with type: "GET"
there is no need to worry about crfs_token.
From the link you posted:
"""
function csrfSafeMethod(method) {
// these HTTP methods do not require CSRF protection
return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
"""
For the thing with the unexpected login ... I also think this has
nothing to do with the crfs_token thing. If you have the default
authentication running, your authentication data will be in a cookie
named session-id or so ...
of course if you mess up that cookie, you have to authenticate again.
> --
> You received this message because you are subscribed to the Google Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
> To post to this group, send email to django...@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-users.
> To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CALr9Q3a-hqk5fA1TP_3RZetv3gVh-D%2BR4kK0kBfeHBGz%3D0v9xQ%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
I'm not quite sure what you are trying to do, but with type: "GET"
there is no need to worry about crfs_token.
From the link you posted:
"""
function csrfSafeMethod(method) {
// these HTTP methods do not require CSRF protection
return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
"""
For the thing with the unexpected login ... I also think this has
nothing to do with the crfs_token thing. If you have the default
authentication running, your authentication data will be in a cookie
named session-id or so ...
of course if you mess up that cookie, you have to authenticate again.
> You received this message because you are subscribed to the Google Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
> To post to this group, send email to django...@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-users.
> To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CALr9Q3a-hqk5fA1TP_3RZetv3gVh-D%2BR4kK0kBfeHBGz%3D0v9xQ%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages