JQuery + AJAX + Django = CSRF ? [duplicate]

Asked 27/8, 2011 at 13:40 Answered 28/8, 2011 at 0:9

Solved javascript ajax django csrf-protection

Possible Duplicate:
"CSRF token missing or incorrect" while post parameter via AJAX in Django

I wanted to send login data by AJAX to authenticate user, but it wasn't possible because of CSRF. Could You tell me what to add to my code to make it woking?

my JavaScript file:

$("#login").live("click", function() {
    var username = $(".login_username").val();
    var password = $(".login_password").val();

    $.ajax({
        url: "/login",
        type: "POST",
        data: {
            username: username,
            password: password
        },
        cache: false,
        success: function(tekst) {
            alert(tekst);
        }
    });
});

Argueta answered 27/8, 2011 at 13:40 Comment(2)

I believe you can find your answer here. The simplest solution appears to be disabling CSRF protection on the django instance. The next best option is to update your JavaScript login to grab django's CSRF token from the form and include it as part of the AJAX request. – Europe 27/8, 2011 at 13:48

Take a look at my previous answer. #6507397 – Utrillo 27/8, 2011 at 13:58

There is a method explained here.

It consists of adding a X-CSRFToken header on each ajax request.

This is done by hooking in the jQuery.ajaxSend event, so everything is done automatically (you just have to copy and past their code, and run it once before the first ajax request you make).

Irairacund answered 27/8, 2011 at 13:44 Comment(5)

Yeah, I have read it. But, i don't know how to use it and where to add it =/? – Argueta 27/8, 2011 at 13:47

put the code just after <script src=".../jquery.js"></script> and that's all, it seems. – Irairacund 27/8, 2011 at 13:49

I have put that code after the ending of $("#login").live("click", function() {function - it changed nothing :(. That code must be in separate file? – Argueta 27/8, 2011 at 13:56

Don't know how... but it started to work properly :P. – Argueta 28/8, 2011 at 13:34

Broken link. Try this one instead – Botulin 12/1, 2015 at 4:28

I've been trying to solve the same problem, And as arnaud576875 says you have to Add the csrf token header on each ajax request just like the Django docs says https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax And execute that code before any Ajax request you make.

But there is something additional, you have to find a way to load the csrf token to the cookies of your app before trying to do any AJAX request, after a lot of painful hours researching I couldn't find an specific answer of how to do this, what I did found is that to ensure that your view sends the csrf token within a cookie you can use the ensure_csrf_token() to each view you want to receive the token https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#django.views.decorators.csrf.ensure_csrf_cookie this seems to work for a lot of people, but did not worked for me.

Another way is using the Legacy Method, adding the 'django.middleware.csrf.CsrfResponseMiddleware' to your MIDDLEWARE_CLASSES but I don't recommend this method because leaves several security risks. https://docs.djangoproject.com/en/1.2/ref/contrib/csrf/#legacy-method

All this methods that I said before did not worked for me. The way that I'm allowing Ajax to do some requests is as the following, and if someone finds this a dangerous method please let me know:

Go to the first view that your user will hit, like the /home/ page.
Insert this before redirecting or parsing anything request.META["CSRF_COOKIE_USED"] = True

And that's it, That is the way that works for me, but as I said before I'm not sure if this is the right method or the most secure one to accomplish the csrf protection.

Dedication answered 28/8, 2011 at 0:9 Comment(0)

Recommended topics

Hot tags