发表新帖
发表新帖

Django CSRF check failing with an Ajax POST request

前端 未结
关注
22 1410
佛祖请我去吃肉
佛祖请我去吃肉 2020-11-22 03:46

I could use some help complying with Django\'s CSRF protection mechanism via my AJAX post. I\'ve followed the directions here:

http://docs.djangoproject.com/en/dev/r

相关标签:
22条回答
  • 忘掉有多难
    2020-11-22 04:09

    Real solution

    Ok, I managed to trace the problem down. It lies in the Javascript (as I suggested below) code.

    What you need is this:

    $.ajaxSetup({ 
     beforeSend: function(xhr, settings) {
         function getCookie(name) {
             var cookieValue = null;
             if (document.cookie && document.cookie != '') {
                 var cookies = document.cookie.split(';');
                 for (var i = 0; i < cookies.length; i++) {
                     var cookie = jQuery.trim(cookies[i]);
                     // Does this cookie string begin with the name we want?
                     if (cookie.substring(0, name.length + 1) == (name + '=')) {
                         cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
                         break;
                     }
                 }
             }
             return cookieValue;
         }
         if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
             // Only send the token to relative URLs i.e. locally.
             xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
         }
     } 
});

    instead of the code posted in the official docs: https://docs.djangoproject.com/en/2.2/ref/csrf/

    The working code, comes from this Django entry: http://www.djangoproject.com/weblog/2011/feb/08/security/

    So the general solution is: "use ajaxSetup handler instead of ajaxSend handler". I don't know why it works. But it works for me :)

    Previous post (without answer)

    I'm experiencing the same problem actually.

    It occurs after updating to Django 1.2.5 - there were no errors with AJAX POST requests in Django 1.2.4 (AJAX wasn't protected in any way, but it worked just fine).

    Just like OP, I have tried the JavaScript snippet posted in Django documentation. I'm using jQuery 1.5. I'm also using the "django.middleware.csrf.CsrfViewMiddleware" middleware.

    I tried to follow the the middleware code and I know that it fails on this:

    request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '')

    and then

    if request_csrf_token != csrf_token:
    return self._reject(request, REASON_BAD_TOKEN)

    this "if" is true, because "request_csrf_token" is empty.

    Basically it means that the header is NOT set. So is there anything wrong with this JS line:

    xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));

    ?

    I hope that provided details will help us in resolving the issue :)

    0 讨论(0)
  • 死守一世寂寞
    2020-11-22 04:09

    In my case the problem was with the nginx config that I've copied from main server to a temporary one with disabling https that is not needed on the second one in the process.

    I had to comment out these two lines in the config to make it work again:

    # uwsgi_param             UWSGI_SCHEME    https;
# uwsgi_pass_header       X_FORWARDED_PROTO;
    0 讨论(0)
  • 北海茫月
    2020-11-22 04:10

    The accepted answer is most likely a red herring. The difference between Django 1.2.4 and 1.2.5 was the requirement for a CSRF token for AJAX requests.

    I came across this problem on Django 1.3 and it was caused by the CSRF cookie not being set in the first place. Django will not set the cookie unless it has to. So an exclusively or heavily ajax site running on Django 1.2.4 would potentially never have sent a token to the client and then the upgrade requiring the token would cause the 403 errors.

    The ideal fix is here: http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#page-uses-ajax-without-any-html-form
    but you'd have to wait for 1.4 unless this is just documentation catching up with the code

    Edit

    Note also that the later Django docs note a bug in jQuery 1.5 so ensure you are using 1.5.1 or later with the Django suggested code: https://docs.djangoproject.com/en/dev/ref/csrf/#ajax

    0 讨论(0)
  • 既然无缘
    2020-11-22 04:13

    If your form posts correctly in Django without JS, you should be able to progressively enhance it with ajax without any hacking or messy passing of the csrf token. Just serialize the whole form and that will automatically pick up all your form fields including the hidden csrf field:

    $('#myForm').submit(function(){
    var action = $(this).attr('action');
    var that = $(this);
    $.ajax({
        url: action,
        type: 'POST',
        data: that.serialize()
        ,success: function(data){
            console.log('Success!');
        }
    });
    return false;
});

    I've tested this with Django 1.3+ and jQuery 1.5+. Obviously this will work for any HTML form, not just Django apps.

    0 讨论(0)
 看不清?
提交回复
热议问题