I have a ReactJS application deployed on one domain(abc.com) and a Django server is deployed on another domain(xyz.com). I have added a separate call to get the csrf token in Django as follows-
def csrf(request):
return JsonResponse({'csrfToken': get_token(request)})
When i call this API i get a Set-cookie response header which has a different csrftoken value as the json response from this API-
Set-Cookie: csrftoken=0b6qbRmAyF8QITIHbvFT2gGFOB98Vzg7cCRWvFWn2zzRbLon4BduX3P0orRX5Afh; expires=Tue, 01 Mar 2022 10:33:18 GMT; Max-Age=31449600; Path=/; SameSite=None; Secure
Whereas the response has the following csrf(which i save as cookie)-
{"csrfToken": "mMPB6X86ZzsS6T2rg1AN0e8MhG9raEn6ydA7qLITttTTzLI7978oV1h7RwRgkFmg"}
i need to send the csrftoken in the post call as well as a cookie and i cannot access the token sent in the cookie because it is of different domain (CORS) and neither can i overwrite that record. If i set
credentials: 'include',
in my fetch call and send the csrftoken in form data or as a request header(X-CSRFToken) then the call has the cookie sent to me as the cookie itself (0b6qbRmAyF8QITIHbvFT2gGFOB98Vzg7cCRWvFWn2zzRbLon4BduX3P0orRX5Afh) and the header/form data csrf as the one sent as json(mMPB6X86ZzsS6T2rg1AN0e8MhG9raEn6ydA7qLITttTTzLI7978oV1h7RwRgkFmg) and i get a 403 error with the message-
CSRF verification failed. Request aborted.
In my local system it works well because the cookie recieved from server is (most probably) overwritten by the one in json because both applications run on localhost and the same csrf is sent in all the places(cookie and form data/request header). How can the same result be achieved with different domains?