When testing setting/reading cookies via JavaScript, I see Django sets a csrftoken cookie. There is no javascript on the page that sets the cookie, and I checked the Response Headers and can’t see a Set-Cookie header.
I can see a request csrftoken header cookie, but not in the response.
Looking at the auth login in code, I traced the code to setting cookies to:
django.http.response.HttpResponseBase.set_cookie()
However that code appears to be setting a dict, that something else consumes, so I don’t know how to trace it from there.
So how does Django set a cookie successfully that is maintained between reloads and different pages?