A note on Django 1.5.2 rotating CSRF token and frontend javascript applications
Check out the new site at https://rkblog.dev.
13 December 2013
Comments
Django 1.5.2 introduced a change named The CSRF token now rotates when a user logs in. This isn't anything problematic for typical web applications where user submits a form and the page reloads. For applications that are based on JavaScript frameworks like ember (or angular) this becomes a problem, as the user is logged in the background with an AJAX request (for example with Facebook JS SDK) and the page in general never reloads. When he logs in the token changes and API (POST) requests (to django-rest-framework for example) will get forbidden as answers from the server.
A solution would be to return a new token with server response to the login request and insert it in the place of the old one, which was inserter when Django template was rendered:xhr.setRequestHeader("X-CSRFToken", "{{csrf_token}}");
RkBlog
Check out the new site at https://rkblog.dev.
Comment article