csrf errors

[rizumu]

Tried installing gargoyle 0.6.1 with nexus 0.2.3 and none of the ajax links work for managing switches, due to the standard csrf errors. 403 forbidden CSRF verification failed. Request aborted.

The recent nexus commits to use ajaxSetup are being called correctly, but something (I've no idea what) is not working with gargoyles provided templates and staticfiles.

[dcramer]

Can you check the requests and see if it's showing the X-CSRF (or whatever its labeled) header in them? Also see if it's setting the csrf cookie on the initial gargoyle page load.

[rizumu]

The X-CSRFToken is set in the headers.

Django is setting the csrf cookie, however I am using a custom name: CSRF_COOKIE_NAME = "comunidad_csrftoken"

[dcramer]

And it's sending the token header (with the ajax call) as the correct value of the cookie? Are you behind SSL?

[rizumu]

hrmpf. Today the token header isn't being included so I can't check. No SSL atm, and I'm on localhost. Well, I'll revisit it next week.

[armisael]

Just to resurrect this issue: this happens when you set a custom CSRF_COOKIE_NAME.

In our websites we have the following configuration: default cookie name for production environment (csrftoken) and a custom value for staging and unstable environments (s_csrftoken and u_csrftoken respectively)

Gargoyle request:

Cookie:csrftoken=rm11CGoHiH4znZQ... u_csrftoken=Ychnso82YtOutx8ywmk...
X-CSRFToken:rm11CGoHiH4znZQ...

One of our (patched) requests:

Cookie:csrftoken=rm11CGoHiH4znZQ... u_csrftoken=Ychnso82YtOutx8ywmk...
X-CSRFToken:Ychnso82YtOutx8ywmk...

What we did is just to edit the code at https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax replacing the CSRF cookie name in var csrftoken = getCookie('csrftoken');

Hope this issue will be fixed soon, gargoyle is an essential part of our infrastructure, and not being able to use it properly in our testing environment is kinda problematic.

[martino]

+1