id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
15354	Cookie with CSRF token not always available for AJAX Post requests	Sayane	nobody	"Quote from mailing list:
{{{
There's a problem with CSRF Protection and XHR requests. It works perfectly if 'csrftoken' cookie has been set already. But what if it's not?
Cookie with token will be set only, if META[""CSRF_COOKIE_USED""] is True [1]. It's set to True in function get_token() [2]. get_token() is called in CsrfResponseMiddleware [3] (It's deprecated, i'm not using it) and in 'csrf' context processor (note - calling it is lazy, so I need to use {% csrf_token %} or at least get the value of csrf_token variable).

But in my project i'm not using {% csrf_token %} anywhere. According to documentation [5] I'm not required to do anything else, but write a simple javascript code. Actually it's not true. I have to put ""request.META['CSRF_COOKIE_USED'] = True"" line in every view (or write appropriate decorator).

What is more, it will affect users who didn't come across page where csrf_token is used, but their browser needs to send xhr post request.

It affects svn version. I don't know if other versions are affected.

[1] http://code.djangoproject.com/browser/django/trunk/django/middleware/csrf.py#L236
[2] http://code.djangoproject.com/browser/django/trunk/django/middleware/csrf.py#L67
[3] http://code.djangoproject.com/browser/django/trunk/django/middleware/csrf.py#L270
[4] http://code.djangoproject.com/browser/django/trunk/django/core/context_processors.py#L38
[5] http://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax
}}}"	Bug	closed	CSRF	dev	Normal	fixed		me@… Chris Lamb	Accepted	1	0	0	0	0	0