id,summary,reporter,owner,description,type,status,component,version,severity,resolution,keywords,cc,stage,has_patch,needs_docs,needs_tests,needs_better_patch,easy,ui_ux 15354,Cookie with CSRF token not always available for AJAX Post requests,Sayane,nobody,"Quote from mailing list: {{{ There's a problem with CSRF Protection and XHR requests. It works perfectly if 'csrftoken' cookie has been set already. But what if it's not? Cookie with token will be set only, if META[""CSRF_COOKIE_USED""] is True [1]. It's set to True in function get_token() [2]. get_token() is called in CsrfResponseMiddleware [3] (It's deprecated, i'm not using it) and in 'csrf' context processor (note - calling it is lazy, so I need to use {% csrf_token %} or at least get the value of csrf_token variable). But in my project i'm not using {% csrf_token %} anywhere. According to documentation [5] I'm not required to do anything else, but write a simple javascript code. Actually it's not true. I have to put ""request.META['CSRF_COOKIE_USED'] = True"" line in every view (or write appropriate decorator). What is more, it will affect users who didn't come across page where csrf_token is used, but their browser needs to send xhr post request. It affects svn version. I don't know if other versions are affected. [1] http://code.djangoproject.com/browser/django/trunk/django/middleware/csrf.py#L236 [2] http://code.djangoproject.com/browser/django/trunk/django/middleware/csrf.py#L67 [3] http://code.djangoproject.com/browser/django/trunk/django/middleware/csrf.py#L270 [4] http://code.djangoproject.com/browser/django/trunk/django/core/context_processors.py#L38 [5] http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax }}}",Bug,closed,CSRF,dev,Normal,fixed,,me@… Chris Lamb,Accepted,1,0,0,0,0,0