I have excluded the line 'django.middleware.csrf.CsrfViewMiddleware' from my django settings file in MIDDLEWARE_CLASSES and yet one of our users received the "Forbidden" Error from an AJAX request. How is this possible, especially if the CSRF Middleware is disabled?
Asked
Active
Viewed 151 times
0
-
There could be other middlewares that deal with CSRF themselves, which could be causing the issue. (_This is just a guess_ ) - Here is one way to overcome it. http://stackoverflow.com/a/4631626/1628832 – karthikr May 21 '14 at 16:04
-
Thanks. I do see the csrftoken cached as a cookie, probably from the time that we had csrftokens enabled. Could a form being cached on the browser from a previous version of the website have anything to do with this? – Sid May 21 '14 at 16:08
-
@karthikr Also, the user apprised me of his windows password having expired in the meantime. Could this have anything to do with the forbidden on the ajax call? I understand I can disable all sources of csrf protection but I am also trying to figure what caused this as it's not replicable. – Sid May 21 '14 at 16:18
-
Well, I am not very convinced about the windows password expiry. However, I would guess that the user has logged out (session expiry/logout from another tab), which _could_ have caused the error. – karthikr May 21 '14 at 16:44
-
I thought about that - but after checking the apache access logs I don't see any 403s. While if I enable Csrf and let it fail the 403s get logged into access.log. Which made me think that the request was somehow not reaching django... – Sid May 21 '14 at 17:38