Hi Vincent Yes. Look at the HTTP Headers. Just in case you need to read the docs on 1.2.5 which identified the CSRF AJAX issue.
http://www.djangoproject.com/weblog/2011/feb/08/security/ Also looking at the request in firebug you can see the 'X-CSRFToken' needs to be added as an attribute with the javascript you use. This is not labour intensive and i was able to do a grep to find and replace in my files to make them compatible. Here is the required code in prototype. Could be adapted to the framework of your choice. function getCookie(name) { var cookieValue = null; if (document.cookie && document.cookie != '') { var cookies = document.cookie.split(';'); for (var i = 0; i < cookies.length; i++) { var cookie = cookies[i].strip(); // Does this cookie string begin with the name we want? if (cookie.substring(0, name.length + 1) == (name + '=')) { cookieValue = decodeURIComponent(cookie.substring(name.length + 1)); break; } } } return cookieValue; } function requestPage(event) { var element = event;//event.element(); var url = '/'+element.identify()+'/'; new Ajax.Updater('content', url, { method: 'post', requestHeaders: {'X-CSRFToken':getCookie('csrftoken') }, }); } On Fri, Apr 8, 2011 at 6:49 PM, Vincent den Boer <vinc...@shishkabab.net> wrote: > We have a site with a lot of static HTML pages and a few Django pages. > Dajaxice > is used on both the static and Django pages to check whether the user is > logged > in and show the login status to the user. The problem is that since the user > will typically visit the HTML pages first, the user will not have a CSRF > cookie > stored when the first AJAX request is made and Django rejects the request. Is > there any elegant way to solve this? I've now disabled CSRF protection for all > AJAX requests, which is not a problem right now since we don't do anything > dangerous or send sensitive data with AJAX, but could become risk in the > future. > > Kind regards, > Vincent > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To post to this group, send email to django-users@googlegroups.com. > To unsubscribe from this group, send email to > django-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
