Django CSRF_COOKIE_DOMAIN - how to gracefully change

Question

Django CSRF_COOKIE_DOMAIN - how to gracefully change

I have a Django open source site that uses CSRF protection.

I have not installed CSRF_COOKIE_DOMAIN

. My site uses subdomains.

Sometimes the user ends up setting a cookie csrftoken

on .toplevel.com

and also on sub.toplevel.com

. This causes problems because the CSRF check fails if the check uses the wrong cookie.

I would like to install CSRF_COOKIE_DOMAIN

in .toplevel.com

. However, I would also like to delete any cookies csrftoken

for any subdomains *.toplevel.com

. How should I do it?

If I don't delete the other cookies, I'll just go back to the original situation where you have two cookies with the same name, which is causing problems.

+3

django cookies django-csrf

Krystian cybulski 14 nov. 14 at 15:59

source to share

1 answer

Alexey Kuleshevich · Accepted Answer · 2014-11-22T21:02:33+0000

I had a similar problem. The way I did it, along with CSRF_COOKIE_DOMAIN

, I also changed CSRF_COOKIE_NAME

, making the old cookies "csrftoken"

obsolete.

Django CSRF_COOKIE_DOMAIN - how to gracefully change

More articles: