Using ajax request in Django without form element

Question

I'd like to send an ajax request (via Jquery, although I think that's irrelevant in this situation) without using a form element in Django. According to the documentation, I should be able to do that by using the ensure_csrf_cookie decorator, however, I get Error was: cannot import name ensure_csrf_cookie.

I'm using the following import from django.views.decorators.csrf import ensure_csrf_cookie.

I didn't find a great deal of documentation about ensure_csrf_cookie, so any help will be greatly appreciated.

By the way, using @csrf_exempt works as expected.

Thanks in advance.

Answer 1

ensure_csrf_cookie may only be a 1.4 alpha feature if you're having trouble importing it -- I can import it just fine with the same statement on trunk.

The simplest solution here is to pass the csrf_token VALUE in the ajax call itself.

You said you were using jQuery.

    $.ajax({
        url: "",
        type: 'POST',
        data: {
             csrfmiddlewaretoken: '{{ csrf_token }}' // just the token value
        },
        success: function(response) {
        }
    })

It appears this ensure_csrf_cookie forces the view to set the csrf cookie that would be required for use in the automatic cookie based csrf protection mechanism for jquery ajax calls described here: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax

Answer 2

You're right - this appears to be a bug in the documentation. You should be able to use csrf_exempt instead (same documentation page).