Different csrfmiddlewaretoken in form and csrfotken in cookie

Question

I have a simple form in which I am using a csrfmiddlewaretoken in django as:

<form>
{% csrf_token %}
</form>

On page load both the csrfmiddlewaretoken in form and csrftoken in cookie are same but when I refresh the page using ctrl + F5, the csrftoken in cookie changes but the csrfmiddlewaretoken in the form remains same, which leads to the future POST AJAX request fail.

What can be the reason of this ?

score 2 · Answer 1 · answered May 30 '17 at 15:19

I think your Django version is 1.10 or 1.11, because after 1.9, there are some news in csrf.

To protect against BREACH attacks, the CSRF protection mechanism now changes the form token value on every request (while keeping an invariant secret which can be used to validate the different tokens).

doc link

Dariusz Aniszewski · Answer 2 · 2014-09-19T18:54:06.903

0

Are you using cache?
Have you tried to add @csrf_protect decorator to your method responsible for generating HTML?
Are you doing any manual manipulation with csrf token in your views?

Some code snippets of your views and forms would be useful, it's wild guessing without them.

edited Sep 19 '14 at 18:54

answered Sep 19 '14 at 11:33

Dariusz Aniszewski

457
2
9

Different csrfmiddlewaretoken in form and csrfotken in cookie

2 Answers2