I think I can only get it working in IE because IE forgets the cookie
when the browser closes and the other browsers on my machine aren't. I
think the fact that I have only found this in IE is not really
related.
I guess I'm miss understanding the use of CSRF. Perhaps the correct
way is to place {% csrf_token %} on the pages where I'm making POST
requests regardless as to if those POST's are via a form or AJAX.
On Mar 9, 2:24 pm, cootetom <coote...@gmail.com> wrote:
> I have got the jQuery that does the ajaxSetup. However the problem is
> when #csrfmiddlewaretoken isn't on the page. My jQuery is as the
> Django documentation suggests which is to read the cookie value which
> is meant to be set at every request.
>
> If the user hasn't visited a page that has #csrfmiddlewaretoken on it
> then there is also no cookie, in IE only.
>
> I can solve my issue by putting {% csrf_token %} on every page of the
> web site but something is telling me there is a deeper problem.
>
> On Mar 9, 2:12 pm, krzysiekpl <krzysie...@gmail.com> wrote:
>
>
>
>
>
>
>
> > Did you try add custom header X-CSRFToken ? Try this solution if youre
> > using jquery
>
> > $.ajaxSetup({
> > beforeSend: function(xhr, settings) {
> > if (!(/^http:.*/.test(settings.url) || /
> > ^https:.*/.test(settings.url))) {
> > // Only send the token to relative URLs i.e. locally.
> > xhr.setRequestHeader("X-CSRFToken",
> > $("#csrfmiddlewaretoken").val());
> > }
> > }
> > });
>
> >http://www.djangoproject.com/weblog/2011/feb/08/security/
>
> > On 9 Mar, 14:59, cootetom <coote...@gmail.com> wrote:
>
> > > I am experiencing some off behaviour with CSRF but only in IE
> > > browsers. Using Django 1.2.5 (final).
>
> > > I have a page that has no form and no use of {% csrf_token %} but it
> > > does make a POST request using JavaScript. I have implemented the
> > > jQuery code to grab the CSRF cookie value for all AJAX requests. The
> > > strange thing is that in IE browsers there is no CSRF cookie but in
> > > all other browsers, on the same page that cookie exists. So IE
> > > browsers get 403 for AJAX requests and other browsers work just fine.
>
> > > I'm just using the django.middleware.csrf.CsrfViewMiddleware
> > > middleware.
>
> > > Here is the scenario to replicate this:
>
> > > 1. Visit a page that does have a form and so does have a {% csrf_token
> > > %}
> > > 2. Move onto a page that doesn't make use of {% csrf_token %} but does
> > > still do a JavaScript POST. The JavaScript POST will work this time
> > > around.
> > > 3. Close the web browser down, re-open it but go directly to the web
> > > page that doesn't use {% csrf_token %} but does make a JavaScript
> > > POST. This will now fail as no cookie has been set for CSRF.
>
> > > The documentation says the cookie is set for every request so I don't
> > > understand this?
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
