RkBlog

Hardware, programming and astronomy tutorials and reviews.

A note on Django 1.5.2 rotating CSRF token and frontend javascript applications

A problem for ember.js applications with Django changing the CSRF token when user logs in.

Django 1.5.2 introduced a change named The CSRF token now rotates when a user logs in. This isn't anything problematic for typical web applications where user submits a form and the page reloads. For applications that are based on JavaScript frameworks like ember (or angular) this becomes a problem, as the user is logged in the background with an AJAX request (for example with Facebook JS SDK) and the page in general never reloads. When he logs in the token changes and API (POST) requests (to django-rest-framework for example) will get forbidden as answers from the server.

A solution would be to return a new token with server response to the login request and insert it in the place of the old one, which was inserter when Django template was rendered:
xhr.setRequestHeader("X-CSRFToken", "{{csrf_token}}"); 
I wonder if there are any solutions for this already?
RkBlog

13 December 2013;

Comment article