Trac Error. Missing or invalid form token. Do you have cookies enabled?

Question

I'm developing a plugin for Trac and trying to submit some info to the database

The scheme is:

1. Check a user you want to add to a department
2. Click a button to issue an ajax POST request
3. Process Request.

Everything was pretty fine while I was working with old 0.11 release. (not sure if that's the reason.

The company I've been working at updated Trac to the current stable 1.0.1 release and something is really wrong now.

Sending POST request without any data like this:

$.post("trac_dep_policy");

Went fine, but if I try to add some data:

$.post("trac_dep_policy", { name: "John", time: "2pm" } );

I get 400 Bad Request error. After some debugging I figured out it's the protection against CSRF attacks that is working against me. (web/main.py)

The question is simple - how should I deal with it?

Answer 1

CSRF protection is auto-added to each form by a combination of in-place Genshi template modification and read-back on POST request, and I know this has been added very early, fixed version in Trac 0.10.2 release to be clear.

You'll need to use XMLRPC protocol (see XMLRPC plugin) or read the hidden form token yourself.

Answer 2

The answer was simple enough:

Just as @hasienda mentioned in his answer - each form in Trac is provided with a hidden input inside a div element with a certain name tag and a token value:

<form>
    <div>
        <input type="hidden" name="__FORM_TOKEN" value="9c69c37f52f669fb99b095e4">
    </div> 
</form>

Now, everything you'll need to do a successful POST request via ajax is to pass this __FORM_TOKEN value together with your data:

var token_value = $("input[name=__FORM_TOKEN]").val();
$.post(url, {__FORM_TOKEN: token_value, data: your_data})