Django CSRF_COOKIE_DOMAIN - how to gracefully change
I have a Django open source site that uses CSRF protection.
I have not installed CSRF_COOKIE_DOMAIN
. My site uses subdomains.
Sometimes the user ends up setting a cookie csrftoken
on .toplevel.com
and also on sub.toplevel.com
. This causes problems because the CSRF check fails if the check uses the wrong cookie.
I would like to install CSRF_COOKIE_DOMAIN
in .toplevel.com
. However, I would also like to delete any cookies csrftoken
for any subdomains *.toplevel.com
. How should I do it?
If I don't delete the other cookies, I'll just go back to the original situation where you have two cookies with the same name, which is causing problems.
source to share