Everything makes sense about this except for:
> If the user hasn't visited a page that has #csrfmiddlewaretoken on it
> then there is also no cookie, in IE only.
I am looking in firefox as well and I cannot see that cookie until I
visit a page that has the csrf_token on it -- afterwards it persists.
Can you confirm that your cookie settings are the same in firefox and IE?
Also, I use the csrf_token with any form that POSTs to my domain, (ajax
or otherwise), which prevents this issue.
Hope this helps,
Casey
On 03/09/2011 09:24 AM, cootetom wrote:
I have got the jQuery that does the ajaxSetup. However the problem is
when #csrfmiddlewaretoken isn't on the page. My jQuery is as the
Django documentation suggests which is to read the cookie value which
is meant to be set at every request.
If the user hasn't visited a page that has #csrfmiddlewaretoken on it
then there is also no cookie, in IE only.
I can solve my issue by putting {% csrf_token %} on every page of the
web site but something is telling me there is a deeper problem.
On Mar 9, 2:12 pm, krzysiekpl<krzysie...@gmail.com> wrote:
Did you try add custom header X-CSRFToken ? Try this solution if youre
using jquery
$.ajaxSetup({
beforeSend: function(xhr, settings) {
if (!(/^http:.*/.test(settings.url) || /
^https:.*/.test(settings.url))) {
// Only send the token to relative URLs i.e. locally.
xhr.setRequestHeader("X-CSRFToken",
$("#csrfmiddlewaretoken").val());
}
}
});
http://www.djangoproject.com/weblog/2011/feb/08/security/
On 9 Mar, 14:59, cootetom<coote...@gmail.com> wrote:
I am experiencing some off behaviour with CSRF but only in IE
browsers. Using Django 1.2.5 (final).
I have a page that has no form and no use of {% csrf_token %} but it
does make a POST request using JavaScript. I have implemented the
jQuery code to grab the CSRF cookie value for all AJAX requests. The
strange thing is that in IE browsers there is no CSRF cookie but in
all other browsers, on the same page that cookie exists. So IE
browsers get 403 for AJAX requests and other browsers work just fine.
I'm just using the django.middleware.csrf.CsrfViewMiddleware
middleware.
Here is the scenario to replicate this:
1. Visit a page that does have a form and so does have a {% csrf_token
%}
2. Move onto a page that doesn't make use of {% csrf_token %} but does
still do a JavaScript POST. The JavaScript POST will work this time
around.
3. Close the web browser down, re-open it but go directly to the web
page that doesn't use {% csrf_token %} but does make a JavaScript
POST. This will now fail as no cookie has been set for CSRF.
The documentation says the cookie is set for every request so I don't
understand this?
--
You received this message because you are subscribed to the Google Groups "Django
users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
