Hello all,
I have a strange problem with a POST form submission from IE.
Apparently, the browser spontaneously starts sending a different CSRF
cookie with the POST request:
-> GET /form/
<- 200, Set-Cookie: csrftoken=abcd
-> GET /some/resource, Cookie: csrftoken=abcd
<- 200
-> GET /some/otherresource, Cookie: csrftoken=abcd
<- 200
-> POST /form/, Cookie: csrftoken=efgh, Data: csrfmiddlewaretoken=abcd
<- 403 Forbidden (or rather, FORBIDDEN, from IIS, but I doubt that's
relevant)
After that, the user retries, and the browser faithfully GETs all the
parts again with the "abcd" cookie, the user hits the button, and the
POST request happens again with the "efgh" one and the same predictable
result. Explicitly reloading the form page, so the browser gets the
Set-Cookie again, seems to help, until the next time.
As I understand cookies, when they are set, they supersede any previous
value for the same name and domain. So where does that different value
come from, and how do I get rid of it?
I started sending the form page itself with Cache-Control: no-cache,
just in case the browser somehow cached the request, but that was a wild
guess and probably wrong.
Please help.
--
Christian
--
You received this message because you are subscribed to the Google Groups "Django
users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/lksfin%24n08%241%40ger.gmane.org.
For more options, visit https://groups.google.com/d/optout.
