Monday, April 2nd, 2012

Fixed CSRF Bug on my profile site

I finally noticed that there was a horrible bug on my profile website, iamkevin.ca. I never noticed the bug, as I normally log into the site before using it, so I naturally had a CSRF token. I ended up visiting the site without logging in first on a new machine, and noticed that the AJAX code was not loading... It was very strange, as I never saw this bug before, but I am sure everyone who has ever visited my profile site has seen it, which is very unfortunate and definitely makes me look bad. I found out that it was a CSRF token issue, as the site never sets the cookie, unless you visit the hidden log-in page, which of course nobody has access to, but myself. So I was the only one in the world which was able to see the site working.

I merely modified the template which renders the page, to add a csrf_token tag, now it functions as it should. Now everyone should be-able to see the site working as it was originally intended, I do apologize for those who had seen it while it was in this broken state. Unfortunately, it was like this for months and months... What an awful situation, at least now I know that if I want to build a complete AJAX website in Django, the initial page needs to provide the CSRF token, or nothing will work for end-users, and only I will personally be-able to see it work. Lesson learned.

Python Powered | © 2012-2014 Kevin Veroneau