AJAX/XHR and X-CSRFToken

Hey,

I have run into an issue with my csrf token where some users are randomly getting a 403 forbidden message on POSTs. The issue seems very similar to what is being described in this ticket:

https://code.djangoproject.com/ticket/30514

The error messages we’re seeing are indicating that the csrf_token cookie is not set, but we’re able to tell from the request logs that X-CSRFToken header WAS set, and just appears to not actually be used at all.

The docs here:

https://docs.djangoproject.com/en/3.0/ref/csrf/#setting-the-token-on-the-ajax-request

…indicate that the X-CSRFToken header is the right place to do this… but, that appears to have no effect when used in a POST if the csrf_token cookie is not also there. Removing the header also has no effect (when cookies are present).

Are the docs wrong? Is the only way to actually send the csrf_token for validation in POST/PUT/PATCH via cookies? Or is the csrf middleware broken as suggested in the ticket?

Thanks for any insights!