how to get csrf cookie in ajax app

[Brian Craft]

In an ajax-based site, where the page is static, and makes ajax calls
after loading, how would one get a csrf cookie? There aren't any
templates associated with the views (they just return json strings).
Setting of the cookie seems to be a side effect of serving forms in
django, but the client doesn't need to fetch a form from the server
for ajax calls. render_to_response finds a reference to the csrf in
the template, calls some internal function to retrieve the csrf, which
sets some flag causing the csrf middleware to add the set-cookie to
the response. Or something?

So, for an ajax app, I could create a view with an empty form,
including just the csrf? Or create a view that calls get_token()?

[Matt Robenolt]

This is actually something new coming in Django 1.3, and by default is requiring all AJAX request to define an X-CSRFToken header. Fortunately, they've written about how to do it here and provided a jQuery implementation: http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax

[Brian Craft]

Yeah, I'm using that technique. It works fine once you have the
cookie. My question was about how to get the cookie, which is not
described well in the documentation.

Manually calling get_token() in the view for the first ajax GET seems
to be working. After that I can POST to other views.

> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To post to this group, send email to django...@googlegroups.com.
> To unsubscribe from this group, send email to
> django-users...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-users?hl=en.
>

[Matt Robenolt]

To get the token? It's stored in a cookie. You can read that in Javascript with document.cookie, then parse the cookie string to retrieve the relevant part.

[Brian Craft]

It's in a cookie once you coerce django into sending the cookie to the
browser. This is less automatic for ajax apps, because django isn't
serving the forms (which is when it usually sends the csrf cookie).

[Matt Robenolt]

Is your main view being rendered by Django or something else? If so, you'll have access to the cookie.

[Artur Wdowiarski]

Take a look at this, Brian:

http://groups.google.com/group/django-developers/browse_thread/thread/662f7f0327c177fd?pli=1

2011/3/21 Brian Craft <bc...@thecraftstudio.com>

[Brian Craft]

No, it's not. It's a static file.

On Mon, Mar 21, 2011 at 10:23 AM, Matt Robenolt

[Matt Robenolt]

Hmm, is Django and this static file on two separate servers? It's looking like you might just want to do a @csrf_exempt.

[Lior Sion]

If your file is completely static (even coming from a cache server)
then there's no way of getting the csrf, since the whole point of the
csrf is that it's dynamic (otherwise it can be copied).

You can do a one time "warmup" if the cookie is not present on your
client to "get_data" from the server and initialize the cookie, or go
without csrf as suggested..

> >> For more options, visit this group athttp://groups.google.com/group/django-users?hl=en.