Django can not delete csrftoken after logout

Question

I am using varnish as a front end cache for a Django app. It all works well with regards to the VCL configuration. The issue i have is that after the user logs out the csrftoken cookie is not deleted and from then on the varnish has a MISS response instead of a HIT. After reading here on stackoverflow some related questions i have this logout view

def logout_view(request):
    response = render_to_response('registration/logout.html', {}, context_instance=RequestContext(request))

    if request.user.is_authenticated():
        logout(request)

        if request.GET.get('next', False):
           response = HttpResponseRedirect(next)

    response.delete_cookie('sessionid')
    response.delete_cookie('csrftoken')
    return response

and this Response headers after user has hit the logout page

Response Headers
Age:0
Cache-Control:max-age=600
Connection:keep-alive
Content-Language:en
Content-Type:text/html; charset=utf-8
Date:Mon, 23 Sep 2013 09:20:43 GMT
Expires:Mon, 23 Sep 2013 09:30:43 GMT
P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Server:nginx/1.4.1
Set-Cookie:sessionid=; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/
Set-Cookie:csrftoken=; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/
Transfer-Encoding:chunked
Vary:Cookie, Accept-Language, Host
Via:1.1 varnish
X-Cache:MISS
X-Varnish:1950616479

default.vcl for completeness:

backend default {
    .host = "127.0.0.1";
    .port = "8000";
}

sub vcl_recv {
    set req.grace = 15s;

    if (req.http.Cookie) {
        set req.http.Cookie = regsuball(req.http.Cookie, "(^|; ) *__utm.=[^;]+;? *", "\1"); # removes all cookies named __utm? (utma, utmb...) - tracking thing
    }

    # unless sessionid/csrftoken is in the request, don't pass ANY cookies (referral_source, utm, etc)
    if (req.request == "GET" && (req.url ~ "^/static" || (req.http.cookie !~ "flash_sessionid" && req.http.cookie !~ "csrftoken"))) {
        remove req.http.Cookie;
    }

    # normalize accept-encoding to account for different browsers
    # see: https://www.varnish-cache.org/trac/wiki/VCLExampleNormalizeAcceptEncoding
    if (req.http.Accept-Encoding) {
        if (req.http.Accept-Encoding ~ "gzip") {
            set req.http.Accept-Encoding = "gzip";
        } elsif (req.http.Accept-Encoding ~ "deflate") {
            set req.http.Accept-Encoding = "deflate";
        } else {  
            # unknown algorithm  
            remove req.http.Accept-Encoding;
        }
    }
}

sub vcl_fetch {
    set beresp.ttl = 300s;
    set beresp.grace = 15s;

    # static files always cached 
    if (req.url ~ "^/static") {
       unset beresp.http.set-cookie;
       return (deliver);  
    }

    # pass through for anything with a session/csrftoken set
    if (beresp.http.set-cookie ~ "flash_sessionid" || beresp.http.set-cookie ~ "csrftoken") {
       return (hit_for_pass);
    } else {
       return (deliver);
    }
}

sub vcl_deliver {
    # Add a header to indicate a cache HIT/MISS
    if (obj.hits > 0) {
        set resp.http.X-Cache = "HIT";
    } else {
        set resp.http.X-Cache = "MISS";
    }
    return (deliver);
}

On the response headers i see Django setting the cookie value to a date in the past, however the csrftoken cookie still persists on the next request.

I also tried to remove the 'django.middleware.csrf.CsrfViewMiddleware' middleware but the cookie is still there.

Answer 1

You can fix the problem by editing your vcl_fetch as follows:

sub vcl_fetch {
    # pass through for anything with a session/csrftoken set
    if (beresp.http.set-cookie ~ "flash_sessionid" || beresp.http.set-cookie ~ "csrftoken" || beresp.http.set-cookie ~ "sessionid") {
       return (hit_for_pass);
    } else {
       return (deliver);
    }
}

This way you're checking for Set-Cookie:sessionid as well.

Varnish sees only the first Set-Cookie header when using beresp.http.set-cookie, so in your case Varnish returns vcl_deliver instead of hit_for_pass.

For further reading I'd suggest taking a look at vmod_header.