Django CSRF check failing with an Ajax POST request

If you use the $.ajax function, you can simply add the csrf token in the data body:

$.ajax({    data: {        somedata: 'somedata',        moredata: 'moredata',        csrfmiddlewaretoken: '{{ csrf_token }}'    },

Real solution

Ok, I managed to trace the problem down. It lies in the Javascript (as I suggested below) code.

What you need is this:

$.ajaxSetup({      beforeSend: function(xhr, settings) {         function getCookie(name) {             var cookieValue = null;             if (document.cookie && document.cookie != '') {                 var cookies = document.cookie.split(';');                 for (var i = 0; i < cookies.length; i++) {                     var cookie = jQuery.trim(cookies[i]);                     // Does this cookie string begin with the name we want?                     if (cookie.substring(0, name.length + 1) == (name + '=')) {                         cookieValue = decodeURIComponent(cookie.substring(name.length + 1));                         break;                     }                 }             }             return cookieValue;         }         if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {             // Only send the token to relative URLs i.e. locally.             xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));         }     } });

instead of the code posted in the official docs:https://docs.djangoproject.com/en/2.2/ref/csrf/

The working code, comes from this Django entry: http://www.djangoproject.com/weblog/2011/feb/08/security/

So the general solution is: "use ajaxSetup handler instead of ajaxSend handler". I don't know why it works. But it works for me :)

Previous post (without answer)

I'm experiencing the same problem actually.

It occurs after updating to Django 1.2.5 - there were no errors with AJAX POST requests in Django 1.2.4 (AJAX wasn't protected in any way, but it worked just fine).

Just like OP, I have tried the JavaScript snippet posted in Django documentation. I'm using jQuery 1.5. I'm also using the "django.middleware.csrf.CsrfViewMiddleware" middleware.

I tried to follow the the middleware code and I know that it fails on this:

request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '')

and then

if request_csrf_token != csrf_token:    return self._reject(request, REASON_BAD_TOKEN)

this "if" is true, because "request_csrf_token" is empty.

Basically it means that the header is NOT set. So is there anything wrong with this JS line:

xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));

?

I hope that provided details will help us in resolving the issue :)

Add this line to your jQuery code:

$.ajaxSetup({  data: {csrfmiddlewaretoken: '{{ csrf_token }}' },});

and done.