I am experiencing some off behaviour with CSRF but only in IE
browsers. Using Django 1.2.5 (final).
I have a page that has no form and no use of {% csrf_token %} but it
does make a POST request using JavaScript. I have implemented the
jQuery code to grab the CSRF cookie value for all AJAX requests. The
strange thing is that in IE browsers there is no CSRF cookie but in
all other browsers, on the same page that cookie exists. So IE
browsers get 403 for AJAX requests and other browsers work just fine.
I'm just using the django.middleware.csrf.CsrfViewMiddleware
middleware.
Here is the scenario to replicate this:
1. Visit a page that does have a form and so does have a {% csrf_token
%}
2. Move onto a page that doesn't make use of {% csrf_token %} but does
still do a JavaScript POST. The JavaScript POST will work this time
around.
3. Close the web browser down, re-open it but go directly to the web
page that doesn't use {% csrf_token %} but does make a JavaScript
POST. This will now fail as no cookie has been set for CSRF.
The documentation says the cookie is set for every request so I don't
understand this?
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
