IE sends wrong CSRF cookie
19 views
Skip to first unread message
Christian Ullrich
May 13, 2014, 2:54:15 AM5/13/14
to django...@googlegroups.com
Hello all,
I have a strange problem with a POST form submission from IE.
Apparently, the browser spontaneously starts sending a different CSRF
cookie with the POST request:
-> GET /form/
<- 200, Set-Cookie: csrftoken=abcd
-> GET /some/resource, Cookie: csrftoken=abcd
<- 200
-> GET /some/otherresource, Cookie: csrftoken=abcd
<- 200
-> POST /form/, Cookie: csrftoken=efgh, Data: csrfmiddlewaretoken=abcd
<- 403 Forbidden (or rather, FORBIDDEN, from IIS, but I doubt that's
relevant)
After that, the user retries, and the browser faithfully GETs all the
parts again with the "abcd" cookie, the user hits the button, and the
POST request happens again with the "efgh" one and the same predictable
result. Explicitly reloading the form page, so the browser gets the
Set-Cookie again, seems to help, until the next time.
As I understand cookies, when they are set, they supersede any previous
value for the same name and domain. So where does that different value
come from, and how do I get rid of it?
I started sending the form page itself with Cache-Control: no-cache,
just in case the browser somehow cached the request, but that was a wild
guess and probably wrong.
Please help.
--
Christian
I have a strange problem with a POST form submission from IE.
Apparently, the browser spontaneously starts sending a different CSRF
cookie with the POST request:
-> GET /form/
<- 200, Set-Cookie: csrftoken=abcd
-> GET /some/resource, Cookie: csrftoken=abcd
<- 200
-> GET /some/otherresource, Cookie: csrftoken=abcd
<- 200
-> POST /form/, Cookie: csrftoken=efgh, Data: csrfmiddlewaretoken=abcd
<- 403 Forbidden (or rather, FORBIDDEN, from IIS, but I doubt that's
relevant)
After that, the user retries, and the browser faithfully GETs all the
parts again with the "abcd" cookie, the user hits the button, and the
POST request happens again with the "efgh" one and the same predictable
result. Explicitly reloading the form page, so the browser gets the
Set-Cookie again, seems to help, until the next time.
As I understand cookies, when they are set, they supersede any previous
value for the same name and domain. So where does that different value
come from, and how do I get rid of it?
I started sending the form page itself with Cache-Control: no-cache,
just in case the browser somehow cached the request, but that was a wild
guess and probably wrong.
Please help.
--
Christian
Reply all
Reply to author
Forward
0 new messages