JQuery + AJAX +姜戈 = CSRF ?
我想通过 AJAX 发送登录数据来验证用户身份,但由于 CSRF,这是不可能的。你能告诉我在我的代码中添加什么才能使其正常工作吗?
我的 JavaScript 文件:
$("#login").live("click", function() {
var username = $(".login_username").val();
var password = $(".login_password").val();
$.ajax({
url: "/login",
type: "POST",
data: {
username: username,
password: password
},
cache: false,
success: function(tekst) {
alert(tekst);
}
});
});
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
有一个此处解释的方法。
它包括在每个 ajax 请求上添加 X-CSRFToken 标头。
这是通过挂钩 jQuery.ajaxSend 事件来完成的,因此一切都是自动完成的(您只需复制并粘贴其代码,并在发出第一个 ajax 请求之前运行一次)。
There is a method explained here.
It consists of adding a X-CSRFToken header on each ajax request.
This is done by hooking in the jQuery.ajaxSend event, so everything is done automatically (you just have to copy and past their code, and run it once before the first ajax request you make).
我一直在尝试解决同样的问题,正如 arnaud576875 所说,你必须在每个 ajax 请求上添加 csrf 令牌标头,就像 Django 文档所说的 https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax 并在发出任何 Ajax 请求之前执行该代码。
但还有一些额外的事情,在尝试执行任何 AJAX 请求之前,您必须找到一种方法将 csrf 令牌加载到应用程序的 cookie 中,经过大量痛苦的时间研究后,我找不到具体的答案我发现,为了确保您的视图在 cookie 中发送 csrf 令牌,您可以对您想要接收令牌的每个视图使用
ensure_csrf_token()https://docs.djangoproject.com/ en/dev/ref/contrib/csrf/#django.views.decorators.csrf.ensure_csrf_cookie这似乎对很多人有用,但对我不起作用。另一种方法是使用旧方法,将
'django.middleware.csrf.CsrfResponseMiddleware'添加到您的MIDDLEWARE_CLASSES但我不推荐此方法,因为会留下一些安全风险。https://docs.djangoproject.com/en/1.2/ ref/contrib/csrf/#legacy-method
我之前所说的所有这些方法都不适合我。我允许 Ajax 执行某些请求的方式如下,如果有人发现这是一种危险的方法,请告诉我:
request.META["CSRF_COOKIE_USED"] = True
就是这样,这就是对我有用的方法,但正如我之前所说,我不确定这是否是正确的方法或最安全的方法csrf保护。
I've been trying to solve the same problem, And as arnaud576875 says you have to Add the csrf token header on each ajax request just like the Django docs says https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax And execute that code before any Ajax request you make.
But there is something additional, you have to find a way to load the csrf token to the cookies of your app before trying to do any AJAX request, after a lot of painful hours researching I couldn't find an specific answer of how to do this, what I did found is that to ensure that your view sends the csrf token within a cookie you can use the
ensure_csrf_token()to each view you want to receive the token https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#django.views.decorators.csrf.ensure_csrf_cookie this seems to work for a lot of people, but did not worked for me.Another way is using the Legacy Method, adding the
'django.middleware.csrf.CsrfResponseMiddleware'to yourMIDDLEWARE_CLASSESbut I don't recommend this method because leaves several security risks.https://docs.djangoproject.com/en/1.2/ref/contrib/csrf/#legacy-method
All this methods that I said before did not worked for me. The way that I'm allowing Ajax to do some requests is as the following, and if someone finds this a dangerous method please let me know:
request.META["CSRF_COOKIE_USED"] = True
And that's it, That is the way that works for me, but as I said before I'm not sure if this is the right method or the most secure one to accomplish the csrf protection.