Friday, September 30, 2011

Re: CSRF with AJAX problem

You're using AJAX and forms incorrectly, then. Any form that has a
solid effect on your database (creating, replacing, or deleting data)
should be POSTed and should have CSRF token.

Look into pydanny's django-uni-form project (http://readthedocs.org/
docs/dango-uni-form/en/latest/
) for creating your forms. It'll create
the CSRF token for you if you set the form method to POST (again, as
it should be). Then, in your AJAX function that submits the form,
submit the key & value of the CSRF token field to the endpoint. Now
you have AJAX forms that are still safe and sane.

On Sep 29, 5:15 pm, galgal <weglarek.rob...@gmail.com> wrote:
> Yes, but that JavaScript code is useless until {% csrf_token %} or get_token
> is used. I don't use POST forms - only AJAX forms so I don't have that
> cookie made after page load.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

No comments:

Post a Comment