The problem with CSRF cookie tokens in Django 1.6
In our latest release, we were experiencing duplicate CSRF cookies in Django. We just upgraded from Django 1.4 to 1.6 and we never had any problems in 1.4. Basically everything starts out great for every user, but at some point they have more than one CSRF cookie and the browser gets confused and doesn't know which one to use. It usually picks the wrong ones and causes CSRF issues. Our site uses multiple subdomains, so there is usually a cookie for .site.com, .sub.site.com, site.com, and more.
We tried to set "CSRF_COOKIE_DOMAIN" on .site.com and this seemed to make the problem less often, but sometimes it happened when subdomains were in use and users were logged out and registered as other users.
We also found that the favicon was not defined in our base template, causing the additional request to go through the middleware, but that was fixed. We then confirmed that only the real request goes through middleware and not from static or media files.
We still can't reproduce the issue on command, and generally whenever it does, clearing cookies works as a temporary fix, but it still keeps happening intermittently. Does anyone know why this might be happening? Is there something we are missing in the docs?
Thank.
EDIT:
I forgot to mention that we have multiple server environments (site.com, demo.site.com and beta.site.com). After a bit more digging, it looked like users testing in beta and then using products that have cross-environment cookie conflicts. Just now we tried to set the csrf cookie domains for each environment to ".beta.site.com" and ".demo.site.com" instead of ".site.com" and it seemed to help, especially when you clear your cookies between work in each environment. However, there is still the possibility of cookies.site.com colliding with products colliding with beta and demo, but that's at least a problem.
So what more can we do about it? Also, is there anything we can do when we push this to production where users have old "site.com" cookies that have conflicts with the new specified ".site.com" cookies?
EDIT 2:
I posted the solution, but he won't let me accept it for a few days.
source to share
I think we finally figured it out. Separate "CSRF_COOKIE_DOMAIN" for each environment (".beta.site.com", ".demo.site.com", etc.) Stopped cross-environment issues. We also finished setting the "CSRF_COOKIE_NAME" to "csrf_token" instead of the default "csrftoken" so that users with old csrftoken cookies are not harmed.
source to share