CSRF cookie is not set, Set-Cookie present in response headers

Good evening!

I’m trying to set up an API using DRF and authenticate users through sessions. And during testing I have faced the following problem:

  1. I am logging the user in: it comes through and the response contains two cookies, sessionid and csrftoken
  2. However, no cookies have been set and I can’t see them in the browser, nor do they exist in document.cookie
  3. I am sending a PATCH/POST/PUT/DELETE request (that requires an X-CSRFToken header) and all I get is this error:

{“detail”:“CSRF Failed: CSRF token from the ‘X-Csrftoken’ HTTP header has incorrect length.”}

This is because when I try to get csrftoken cookie value from cookies, it returns an empty string. No cookies have been set.
Sessionid cookie works as intended as it’s HttpOnly and does not need to be saved. Csrftoken on the other hand I need to access because session authentication requires passed X-CSRFToken header with every unsafe request.

Here’s how I make a request to log the user in:

    fetch("https://myserveratpythonanywhere.com", {
        method: "POST",
        credentials:"include",
        body: JSON.stringify({
            username: "loginTest",
            password: "passwordTest"
        }),
        headers: {
            "Content-type": "application/json; charset=UTF-8"
        },
        mode: 'cors'
    })

And here’s part of my settings that concern CORS and CSRF:

CORS_ALLOWED_ORIGINS = [
   'https://myClient.site'
]

CORS_ALLOW_CREDENTIALS = True

CORS_EXPOSE_HEADERS = [
    'Set-Cookie'
]

CSRF_TRUSTED_ORIGINS = [
    'https://myClient.site'
]

CSRF_COOKIE_SAMESITE = 'None'
CSRF_COOKIE_SECURE = True
CSRF_COOKIE_HTTPONLY = False
CSRF_USE_SESSIONS = False

SESSION_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SECURE = True

I don’t know if it’s relevant, but here’s the login view:

@action(detail=False,
        methods=['post'])
def login(self, request):
    serializer = serializers.LoginSerializer(data=self.request.data,
        context={ 'request': self.request })
    serializer.is_valid(raise_exception=True)
    user = serializer.validated_data['user']
    login(request, user)
    return Response(None, status=status.HTTP_202_ACCEPTED)

I am totally lost as to why the csrftoken cookie does not set, even though I disabled HttpOnly property and configured samesite policy to None; Secure while sending a request via https.
Any help will be appreciated!
Thank you in advance.

I also had the same problem. Nowhere I got the answer. Then I decided to make another endpoint where when the user is if authenticated, it do proper validation and return the csrf token as a json response. I don’t know if this method is safe or not but it is works as my frontend developer query at that end point just after login and saves it for all the later use for the same session.