CSRF cookie not set

I’m having an issue where Django produces an error message CSRF cookie not set with a small population of users submitting forms (small number of AWS MTurkers trying to submit a form - maybe intermittent?).

I’m trying to fix this issue, but can’t reproduce it. Maybe I don’t understand what causes or the definition for CSRF cookie not set?

I’ve ask the users the following questions and typed in the typical answer:
Do you have cookies enabled: Yes
What is the name of the internet browser you are using? Variety of answers here
Are you using a private browser window or are in incognito mode? NOT incognito mode
Do you have an ad blocker? NO

Another solution is to remove this check all together by wrapping the route with csrf_exempt(). I was wondering if anyone knew the security implication (link to the documentation) if I did so?


There are a couple more questions that might narrow down the causes -

  1. Which form are they trying to submit? (Is it always the same form, or is it happening on different forms on the site?)

  2. Is any part of that page being modified by any type of javascript code? (e.g. Do you have anything that is modifying the form while it’s being filled out?)

  3. Are the users opening (or closing) multiple tabs on the web site? (Or logging in/out on other tabs)

  4. Are those users using any form of automation to control the browsers for filling out these forms?

In addition to finding out what browsers are being used, it might also be worth identifying the nature of the devices being used as well - is it their own private equipment or a shared computer? (Or even something like a public kiosk?) Are those people able to connect to the internet directly, or are they connecting through some type of proxy or firewall? (Yes, there are stateful proxies/firewalls that can identify and filter components of an http transaction.)

I think you’re digging generally in the right directions, but if it’s truly a small percentage of people where this is happening intermittently, there is some more detailed research that may be needed.