3

I have two applications running on the same domain on different ports, both using csrf middleware.

When I log-in in one of the applications all POST submits from the other fail.
I presume because the SESSION_COOKIE_DOMAIN is the same.

I tried changing SESSION_COOKIE_NAME, however, the 'csrftoken' cookie is used in the forms POST request on both sites, no matter that there now is a new cookie with the name I specified.

When I post information with AJAX and get the csrf token from the cookie with the new name - it works, however, form submits fail with CSRF verification failed.

John Moutafis
  • 22,254
  • 11
  • 68
  • 112
Diko Parvanov
  • 33
  • 1
  • 5

1 Answers1

6

The CSRF token cookie is named csrftoken by default, but you can control the cookie name via the CSRF_COOKIE_NAME setting. Docs.

Use a different CSRF cookie name for each app.

Joseph
  • 12,678
  • 19
  • 76
  • 115
  • 1
    the AJAX works when I change the cookie name, the html form POST requests do not – Diko Parvanov Mar 06 '15 at 15:50
  • 3
    You said you only changed the SESSION_COOKIE_NAME, but did you also change the CSRF_COOKIE_NAME as I mentioned? Are you forms including the {% csrf_token %} tag? – Joseph Mar 06 '15 at 15:53
  • 1
    well, sir, SESSION_COOKIE_NAME and CSRF_COOKIE_NAME were different things. you saved me. thanks! – Diko Parvanov Mar 06 '15 at 16:06
  • 1
    It is worth specifically noting that both `SESSION_COOKIE_NAME` and `CSRF_COOKIE_NAME` both need to be changed. – conmak Nov 09 '22 at 20:29