9

I am making ajax call like below:

var data_dict = {'user':{{ user.id }}, 'bookId':that.id, 'csrfmiddlewaretoken': '{{ csrf_token }}'};
    $.ajax({
        type: 'POST',
        url:"/issuebook",
        data:data_dict,
        processData: false,
        contentType: false,
        success:function(response)
        {
        }
    });

urls.py is:

urlpatterns = [
url(r'^$',views.checkLogin,name='checklogin'),
url(r'^mylibrary/(?P<pk>\d+)/(?P<user_name>[\w\-]+)$',login_required(views.MyLibrary.as_view()),name='mylibrary'),
url(r'^centrallibrary/(?P<pk>\d+)/(?P<user_name>[\w\-]+)$',login_required(views.CentralLibrary.as_view()),name='centrallibrary'),
url(r'^issuebook$',login_required(views.IssueBookView.as_view()),name='issuebook'),

]

I am getting "Forbidden (CSRF token missing or incorrect.): /issuebook" error on ajax call.

The csrf token in ajax call is getting rendered as:

var data_dict = {'user':{{ user.id }}, 'bookId':that.id, 'csrfmiddlewaretoken':'fSSdu8dJ4FO6FvDz8eU5ISzOewRYyGbC'};
                    $.ajax({
                        type: 'POST',
                        url:"/issuebook",
                        data:data_dict,
                        contentType: false,
                        success:function(response)
                        {
                        }
                    });
ankit
  • 1,499
  • 5
  • 29
  • 46
  • You just passed the string `'{{ csrf_token }}'` as `csrfmiddlewaretoken`, and your ajax call can't match it with the relative one. Instead you can get the hash value of `csrf` token manually from your html in your call function. – Mazdak Mar 29 '16 at 17:37
  • Add the rendered HTML template in the question too. – v1k45 Mar 29 '16 at 17:37
  • @v1k45 i have added the rendered {{ csrf_token }} in the edited question. Apart from this I am just rendering few string values in the template which is working fine – ankit Mar 29 '16 at 17:43
  • @v1k45 also I am not using any forms in the template. This ajax call is done on button click event – ankit Mar 29 '16 at 17:49
  • 2
    Try setting the `X-CSRFToken` request header to `csrftoken`, in ajax request. – Rohit Jain Mar 29 '16 at 18:30

1 Answers1

8

This error is caused by processData and contentType options in your ajax function. Removing these two options will fix the issue.

Explanation: The arguments must be sent to Django as urlencoded with Content-Type application/x-www-form-urlencoded. Whereas, if you set processData: false it won't encode the POST parmaters and contentType: false will send ajax POST request as text/plain.

xyres
  • 20,487
  • 3
  • 56
  • 85
  • What if it's set to this? Content-Type: application/json;charset=UTF-8. Will that work? I get the same error as above. – Axwack Apr 24 '18 at 13:37
  • @Axwack No, it won't work. Django does't understand `application/json` POST request. Try sending the data as `Content-Type: application/x-www-form-urlencoded`. If you can't control the request, there's another way to accept `json` request. If you'd like to know, I'll post another comment. – xyres Apr 24 '18 at 17:46