Re: CSRF with AJAX problem
To create csrf cookie without using csrf tag, your view needs to be decorated with django.views.decorators.csrf.ensure_csrf_cookie. Also check: https://code.djangoproject.com/ticket/16936 2011/9/30 Kenneth Love> You're using AJAX and forms incorrectly, then. Any form that has a > solid effect on your database (creating, replacing, or deleting data) > should be POSTed and should have CSRF token. > > Look into pydanny's django-uni-form project (http://readthedocs.org/ > docs/dango-uni-form/en/latest/) for creating your forms. It'll create > the CSRF token for you if you set the form method to POST (again, as > it should be). Then, in your AJAX function that submits the form, > submit the key & value of the CSRF token field to the endpoint. Now > you have AJAX forms that are still safe and sane. > > On Sep 29, 5:15 pm, galgal wrote: > > Yes, but that JavaScript code is useless until {% csrf_token %} or > get_token > > is used. I don't use POST forms - only AJAX forms so I don't have that > > cookie made after page load. > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To post to this group, send email to django-users@googlegroups.com. > To unsubscribe from this group, send email to > django-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-users?hl=en. > > -- http://yasar.serveblog.net/ -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: CSRF with AJAX problem
You're using AJAX and forms incorrectly, then. Any form that has a solid effect on your database (creating, replacing, or deleting data) should be POSTed and should have CSRF token. Look into pydanny's django-uni-form project (http://readthedocs.org/ docs/dango-uni-form/en/latest/) for creating your forms. It'll create the CSRF token for you if you set the form method to POST (again, as it should be). Then, in your AJAX function that submits the form, submit the key & value of the CSRF token field to the endpoint. Now you have AJAX forms that are still safe and sane. On Sep 29, 5:15 pm, galgalwrote: > Yes, but that JavaScript code is useless until {% csrf_token %} or get_token > is used. I don't use POST forms - only AJAX forms so I don't have that > cookie made after page load. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: CSRF with AJAX problem
Yes I have. It returns null if no cookie. -- You received this message because you are subscribed to the Google Groups "Django users" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/Y4TMZ5p-XYgJ. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: CSRF with AJAX problem
On Thu, Sep 29, 2011 at 7:15 PM, galgalwrote: > Yes, but that JavaScript code is useless until {% csrf_token %} or get_token > is used. I don't use POST forms - only AJAX forms so I don't have that > cookie made after page load. have you read it? -- Javier -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: CSRF with AJAX problem
Yes, but that JavaScript code is useless until {% csrf_token %} or get_token is used. I don't use POST forms - only AJAX forms so I don't have that cookie made after page load. -- You received this message because you are subscribed to the Google Groups "Django users" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/JYFq1-eA4WgJ. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: CSRF with AJAX problem
On Thu, Sep 29, 2011 at 6:23 PM, galgalwrote: > How can I make that cookie without using csrf tag? right there in the code sample you quoted: xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken')); where getCookie() is defined as: function getCookie(name) { var cookieValue = null; if (document.cookie && document.cookie != '') { var cookies = document.cookie.split(';'); for (var i = 0; i < cookies.length; i++) { var cookie = jQuery.trim(cookies[i]); // Does this cookie string begin with the name we want? if (cookie.substring(0, name.length + 1) == (name + '=')) { cookieValue = decodeURIComponent(cookie.substring(name.length + 1)); break; } } } return cookieValue; } -- Javier -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
CSRF with AJAX problem
I have a problem/bug found? in AJAX with CSRF. I don't use {% csrf_token %} at all. I use only AJAX forms so - there is no cookie set for csrf. In taht case - https://docs.djangoproject.com/en/1.3/ref/contrib/csrf/#ajax is useless :( I can use get_token to generate it, but I have to put it in all my sites so it has no sense. How can I make that cookie without using csrf tag? -- You received this message because you are subscribed to the Google Groups "Django users" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/SDNW2jMK0ngJ. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.