Tastypie csrftoken not set in incognito mode

Question

I use ajax calls against a thin tastypie layer to CRUD (using csrf tokens). Everything works like a charm until I run the site in e.g. Chrome incognito mode. I keep getting 401s on CUD requests.

Looking at the request cookies I find that the sessionid cookie is set but the csrftoken cookie is not (its properly set if I run in normal mode).

In my settings.py I have :

MIDDLEWARE_CLASSES = (
  'django.middleware.common.CommonMiddleware',
  'django.contrib.sessions.middleware.SessionMiddleware',
  'django.middleware.csrf.CsrfViewMiddleware',
  'django.contrib.auth.middleware.AuthenticationMiddleware',
  'django.contrib.messages.middleware.MessageMiddleware',
 )

Anyone ran into that issue and can save me some time here?

Thanks a lot, Juergen

score 3 · Accepted Answer · answered Sep 02 '13 at 11:23

I found the reason for the cookie not being set in Django's middleware file csrf.py. The code below if kicked in when in incognito mode preventing the cookie to be set:

    if not request.META.get("CSRF_COOKIE_USED", False):
        return response

My workaround is to set this value for my ModelResources in tastypie's api.py file manually:

class MyModelResource( ModelResource ) :

    [..]

    def wrap_view(self, view):
         def wrapper(request, *args, **kwargs):
             request.META["CSRF_COOKIE_USED"] = True
             wrapped_view = super(MyModelResource, self).wrap_view(view)
             return wrapped_view(request, *args, **kwargs)
         return wrapper

Tastypie csrftoken not set in incognito mode

1 Answers1