#16164: Suggested approach for CSRF in AJAX requests doesn't work when cookie
not
set
-----------------------+------------------------------
Reporter: anonymous | Owner: nobody
Type: Bug | Status: new
Milestone: | Component: contrib.csrf
Version: 1.3 | Severity: Normal
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Easy pickings: 0
-----------------------+------------------------------
Looking at the
[https://docs.djangoproject.com/en/1.3/ref/contrib/csrf/#ajax CSRF
documentation], if the suggested approach is implemented, there's a risk
it will not work. The jQuery hook code that's exemplified looks for the
csrftoken cookie value. However, if the AJAX requests are made from a
session missing that cookie, the CSRF validation will ultimately fail.
This cookie can be missing since it's only added to responses if a
template or view has explicitly requested the cookie (thus adding
`CSRF_COOKIE_USED` to the request.META, which is checked for
[source:django/trunk/django/middleware/csrf.py@16201#L200 here]). The
documentation would need to call this out and/or provide a way to manually
force this cookie to be set on responses including the AJAX-driven form.
Alternatively, the middleware could be changed to add the cookie
regardless of whether or not it's been explicitly requested.
--
Ticket URL: <https://code.djangoproject.com/ticket/16164>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
