If you have checked the templates for auth.login
you'll notice that a CSRF token is explicitly included inside the <form>
tag.
<form method="post" action=".">
{% csrf_token %}
This is expanded into a hidden field when the page is rendered on a GET
request. Something like:
<form method="post" action=".">
<div style='display:none'>
<input type='hidden' name='csrfmiddlewaretoken'
value='90064bf0e86edacfdb60595e3e2b8f23' />
</div>
This token is then passed back to the view on POST
and validated.
Consequently before you can POST
to a CSRF protected view you will have to first get the token from the said view.
Can you verify/ensure that you have the CSRF token handy before making a POST
request to the view? Alternately you can disable CSRF protection for the view using the csrf_exempt
decorator. This may not be a good idea though.
Update
This is the point of my question: I am not using django templates for my front-end and thus I cannot tag forms with the token. I am using GWT for my front-end, which is rendering the form for the post.
Are you already making a GET
request to the Django view before rendering the page? In that case you can get the CSRF token by parsing the contents of the response.
If not you will have to explicitly make a GET
request to the view (assuming it supports GET
) and parse the response for a CSRF token. For an example see this question.