-1

How cross site recovery working on bottom click? please help me function DisplaySeatLayout(ticketClassId, theatreId) {

          $(".tblDetails").show();
          var showId = 7;
          var filmId = 75;
          var theatreId = theatreId;
          var ticketClassId = ticketClassId;

          $.ajax({
              type: "POST",
              url: "/FetchSeatLayout",
              cache: true,
              async: false,
              data: "{showId:" + showId + ", theatreId:" + theatreId + ",filmId:" + filmId + ",ticketClassId:" +                        ticketClassId + ",csrfmiddlewaretoken: '{{ csrf_token }}'}",

              contentType: "application/json",
              dataType: "json",
              success: function (data) {
                  $("#divSeatLayout").empty().html(data.d.seatLayout); // Load Seat Layout 

              },
              error: function (request, status, error) {
                  alert(request.responseText);



              }
          });

      }
user110104
  • 1
  • 3

1 Answers1

1

The question is not very concis, so I can only give a generic answer to put you in the right direction.

Make sure that your post data contains a field named csrfmiddlewaretoken. When you submit a form, all fields are submitted as multipart/post-data. The HTML form will contain something like:

<input type='hidden' name='csrfmiddlewaretoken' value='......' />

which will add csrfmiddlewaretoken to the post dictionary.

Since you're using a button, you should make sure that the csrfmiddlewaretoken is also included in that post. Alternatively, if you do not need the cross-session request protection, you could decorate the view with @csrf_exempt.

Freek Wiekmeijer
  • 4,556
  • 30
  • 37
  • i already added csrftokrn to the post data.After posting got error say

    Reason given for failure:

        CSRF token missing or incorrect.
     – user110104 Feb 03 '14 at 08:47
  • i can't uderstand " It's not "cross site recovery" but "cross site request forgery"". – user110104 Feb 03 '14 at 09:37
  • CSRF is a security mechanism to protect against (simultaneous) users posting into each others' session on the server. Imagine one user of awebmail server sending an AJAX request with a manipulated session ID. This could potenially retrieve a webmail message that belongs to somebody else's mailbox. Hence the CSRF token to guard against that. More background here: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/ – Freek Wiekmeijer Feb 03 '14 at 11:09
  • As for debugging: I suggest adding a @csrf_exept temporarily and then logging request.POST to see what's going on. – Freek Wiekmeijer Feb 03 '14 at 11:11