id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
16164	Suggested approach for CSRF in AJAX requests doesn't work when cookie not set	anonymous	nobody	Looking at the [https://docs.djangoproject.com/en/1.3/ref/contrib/csrf/#ajax CSRF documentation], if the suggested approach is implemented, there's a risk it will not work. The jQuery hook code that's exemplified looks for the csrftoken cookie value. However, if the AJAX requests are made from a session missing that cookie, the CSRF validation will ultimately fail. This cookie can be missing since it's only added to responses if a template or view has explicitly requested the cookie (thus adding `CSRF_COOKIE_USED` to the request.META, which is checked for [source:django/trunk/django/middleware/csrf.py@16201#L200 here]). The documentation would need to call this out and/or provide a way to manually force this cookie to be set on responses including the AJAX-driven form. Alternatively, the middleware could be changed to add the cookie regardless of whether or not it's been explicitly requested.	Bug	closed	CSRF	1.3	Normal	worksforme			Unreviewed	0	0	0	0	0	0