python - Django CSRF check failing with an Ajax POST request -

-

i use complying django's csrf protection mechanism via ajax post. i've followed directions here:

http://docs.djangoproject.com/en/dev/ref/contrib/csrf/

i've copied ajax sample code have on page exactly:

http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax

i put alert printing contents of getcookie('csrftoken') before xhr.setrequestheader call , indeed populated data. i'm not sure how verify token correct, i'm encouraged it's finding , sending something.

but django still rejecting ajax post.

here's javascript:

$.post("/memorize/", data, function (result) {     if (result != "failure") {         get_random_card();     }     else {         alert("failed save card data.");     } });

here's error i'm seeing django:

[23/feb/2011 22:08:29] "post /memorize/ http/1.1" 403 2332

i'm sure i'm missing something, , maybe it's simple, don't know is. i've searched around , saw information turning off csrf check view via csrf_exempt decorator, find unappealing. i've tried out , works, i'd rather post work way django designed expect it, if possible.

just in case it's helpful, here's gist of view doing:

def myview(request):      profile = request.user.profile      if request.method == 'post':         """         process post...         """         return httpresponseredirect('/memorize/')     else: # request.method == 'get'          ajax = request.get.has_key('ajax')          """         irrelevent code...         """          if ajax:             response = httpresponse()             profile.get_stack_json(response)             return response         else:             """             data send along content of page.             """          return render_to_response('memorize/memorize.html',                 """ data """                 context_instance=requestcontext(request))

thanks replies!

real solution

ok, managed trace problem down. lies in javascript (as suggested below) code.

what need this:

$.ajaxsetup({       beforesend: function(xhr, settings) {          function getcookie(name) {              var cookievalue = null;              if (document.cookie && document.cookie != '') {                  var cookies = document.cookie.split(';');                  (var = 0; < cookies.length; i++) {                      var cookie = jquery.trim(cookies[i]);                      // cookie string begin name want?                      if (cookie.substring(0, name.length + 1) == (name + '=')) {                          cookievalue = decodeuricomponent(cookie.substring(name.length + 1));                          break;                      }                  }              }              return cookievalue;          }          if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {              // send token relative urls i.e. locally.              xhr.setrequestheader("x-csrftoken", getcookie('csrftoken'));          }      }  });

instead of code posted in official docs: http://docs.djangoproject.com/en/1.2/ref/contrib/csrf/#ajax

the working code, comes django entry: http://www.djangoproject.com/weblog/2011/feb/08/security/

so general solution is: "use ajaxsetup handler instead of ajaxsend handler". don't know why works. works me :)

previous post (without answer)

i'm experiencing same problem actually.

it occurs after updating django 1.2.5 - there no errors ajax post requests in django 1.2.4 (ajax wasn't protected in way, worked fine).

just op, have tried javascript snippet posted in django documentation. i'm using jquery 1.5. i'm using "django.middleware.csrf.csrfviewmiddleware" middleware.

i tried follow the middleware code , know fails on this:

request_csrf_token = request.meta.get('http_x_csrftoken', '')

and then

if request_csrf_token != csrf_token:     return self._reject(request, reason_bad_token)

this "if" true, because "request_csrf_token" empty.

basically means header not set. there wrong js line:

xhr.setrequestheader("x-csrftoken", getcookie('csrftoken'));

?

i hope provided details in resolving issue :)


Comments

Post a Comment

Popular posts from this blog

Javascript line number mapping -

-
magically formatted comments change reported line number of javascript errors in browsers; this: //@line n "f" n line number , f file name. unfortunately, //@line appears ungoogleable. know there documentation on feature, , browsers support it? (i found references here , here .) from can find available in mozilla based browsers. it using js_setoptions command can turn these options on or off depending on values passed. https://developer.mozilla.org/en/js_setoptions
Read more

c# - Is it possible to remove an existing registration from Autofac container builder? -

-
something along lines: builder.registertype<mytype>().as<itype>(); builder.registertype<mytype2>().as<itype>(); builder.deregistertype<mytype>().as<itype>() var container = builder.build(); var types = container.resolve<ienumerable<itype>>(); assert.istrue(types.count == 1); assert.istrue(types[0].gettype == typeof(mytype2)); scenario: go through bunch of assemblies , go register types want make sure have 1 implementation of given type. need before create container. track on own nice if autofac me bit. this cannot done directly using containerbuilder , unless start on new one. mind you, having first built container should able construct new container filtering away unwanted types , reusing registrations first container. this: ... var container = builder.build(); builder = new containerbuilder(); var components = container.componentregistry.registrations .where(cr => cr.activator.limittype != typ...
Read more

php - Mysql PK and FK char(36) vs int(10) -

-
i have read mysql can handle indexes , searches better if tables keys integers rather char(36) uuid's. is worth converting int(10)? note: use 1 server , have have plans use multiple databases concurrently therefore removing 1 of big reasons using uuid. our tables innodb if makes difference. thanks in advance. usually rdbms can handle integer keys pk more efficient, other datatypes. reason how build index column, yes: long dont require string (or other typed) keys, should use integers. however: char(36) , int(10) far away being equal, because int(10) much smaller, char(36). dont know, if require many different keys, should keep in mind. update, complete last paragraph: int(10) 32-bit, char(36) 36 - ^byte^ (= 288-bit). not mean, int consumes less space, means, char(36) has 4 times more different keys.
Read more