Hey,
I have run into an issue with my csrf token where some users are randomly getting a 403 forbidden message on POSTs. The issue seems very similar to what is being described in this ticket:
https://code.djangoproject.com/ticket/30514
The error messages we’re seeing are indicating that the csrf_token cookie is not set, but we’re able to tell from the request logs that X-CSRFToken header WAS set, and just appears to not actually be used at all.
The docs here:
https://docs.djangoproject.com/en/3.0/ref/csrf/#setting-the-token-on-the-ajax-request
…indicate that the X-CSRFToken header is the right place to do this… but, that appears to have no effect when used in a POST if the csrf_token cookie is not also there. Removing the header also has no effect (when cookies are present).
Are the docs wrong? Is the only way to actually send the csrf_token for validation in POST/PUT/PATCH via cookies? Or is the csrf middleware broken as suggested in the ticket?
Thanks for any insights!