[Fixed]-Django, Django REST Framework, Internet Explorer and CSRF token missing or incorrect

1đź‘Ť

Found it ! Well, it is documented by Microsoft…

Our production app has two login schemes:

  1. extranet (domain/extranet/).
  2. intranet (subdomain.domain/intranet/) : will be replaced with subdomainname/intranet within a few months.

If we login into extranet and thereafter into the intranet, we have two csrf tokens related to the domain. So reqCSRFToken() was getting two CSRF tokens and was using the wrong one (the first that matched “csrftoken”) because Internet Explorer sends the domain cookie to the subdomain.

reqCSRFToken: function () {
    var csrfTokenValeur = secureCheck.reqCookie('csrftoken');
    return csrfTokenValeur;
},

reqCookie: function (name) {
    var cookieValue = null;
    if (document.cookie && document.cookie != '') {
        var cookies = document.cookie.split(';');
        for (var i = 0; i < cookies.length; i++) {
            var cookie = jQuery.trim(cookies[i]);
            // Does this cookie string begin with the name we want?
            if (cookie.substring(0, name.length + 1) == (name + '=')) {
                cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
                break;
            }
        }
    }
    return cookieValue;
},

https://stackoverflow.com/a/17371607/2257881
https://blogs.msdn.microsoft.com/ieinternals/2009/08/20/internet-explorer-cookie-internals-faq/

👤RastaqWhere

Leave a comment