Opened 6 years ago
Closed 6 years ago
#30282 closed Bug (invalid)
CSRF token invalid after DELETE request
| Reported by: | My-Tien Nguyen | Owned by: | nobody |
|---|---|---|---|
| Component: | CSRF | Version: | 2.1 |
| Severity: | Normal | Keywords: | CSRF RESTful-API DELETE |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
I am using a RESTful API in my django server with CSRF Middleware enabled.
When I only use GET and POST requests, all works as expected. But when I send a DELETE request to a resource and afterwards perform a POST request
– that contains a csrf cookie and csrfmiddlewaretoken in body – the latter is rejected with CSRF token missing or incorrect and I have to login again.
DELETE request Headers:
- REQUEST_METHOD: DELETE
- CONTENT_TYPE: "application/x-www-form-urlencoded"
- HTTP_COOKIE: sessionid=[session id], csrftoken=[csrfcookie]
- HTTP_X_CSRFTOKEN: [csrfcookie] (I also don’t understand why DELETE needs this extra header with the same content as the csrftoken…)
- HTTP_REFERER: [url]
DELETE request Body: csrfmiddlewaretoken: [csrfcookie]
Note:
See TracTickets
for help on using tickets.
It looks like a support issue, not a bug in Django. Please use one of support channels.