[Django] #30282: CSRF token invalid after DELETE request

9 views
Skip to first unread message

Django

unread,
Mar 22, 2019, 5:52:19 PM3/22/19
to django-...@googlegroups.com
#30282: CSRF token invalid after DELETE request
-------------------------------------+-------------------------------------
Reporter: my-tien | Owner: nobody
Type: Bug | Status: new
Component: CSRF | Version: 2.1
Severity: Normal | Keywords: CSRF RESTful-API
Triage Stage: | DELETE
Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
I am using a RESTful API in my django server with CSRF Middleware enabled.
When I only use GET and POST requests, all works as expected. But when I
send a DELETE request to a resource and afterwards perform a POST request
– that contains a csrf cookie and csrfmiddlewaretoken in body – the latter
is rejected with `CSRF token missing or incorrect` and I have to login
again.

DELETE request Headers:
- REQUEST_METHOD: DELETE
- CONTENT_TYPE: "application/x-www-form-urlencoded"
- HTTP_COOKIE: sessionid=[session id], csrftoken=[csrfcookie]
- HTTP_X_CSRFTOKEN: [csrfcookie] (I also don’t understand why DELETE needs
this extra header with the same content as the csrftoken…)
- HTTP_REFERER: [url]

DELETE request Body: csrfmiddlewaretoken: [csrfcookie]

--
Ticket URL: <https://code.djangoproject.com/ticket/30282>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Mar 23, 2019, 7:21:10 AM3/23/19
to django-...@googlegroups.com
#30282: CSRF token invalid after DELETE request
-------------------------------------+-------------------------------------
Reporter: my-tien | Owner: nobody
Type: Bug | Status: closed
Component: CSRF | Version: 2.1
Severity: Normal | Resolution: invalid

Keywords: CSRF RESTful-API | Triage Stage:
DELETE | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by felixxm):

* status: new => closed
* resolution: => invalid


Comment:

It looks like a support issue, not a bug in Django. Please use one of
[https://code.djangoproject.com/wiki/TicketClosingReasons/UseSupportChannels
support channels].

--
Ticket URL: <https://code.djangoproject.com/ticket/30282#comment:1>

Reply all
Reply to author
Forward
0 new messages