Cookiecutter-django: [Question] How to implement SPA's CSRF flow if we set CSRF_COOKIE_HTTPONLY = True in production?

Created on 3 Mar 2017  路  6Comments  路  Source: pydanny/cookiecutter-django

Hi! Setting CSRF_COOKIE_HTTPONLY = True in production doesn't let me grab CSRF token from cookies as described in Django docs because document.cookie is empty.

Given that i want to keep SessionAuthentication flow could you please advise a proper way of handling this scenario? It works if i reset this setting to False, but i suppose you set it to True for a reason.

I'm using Django REST Framework + React and Axios lib for requests.

Thanks!

picture shoad
👍2

Most helpful comment

When CSRF_COOKIE_HTTPONLY you can't grab CSRF token from cookies. To make it work, you have to inject it from the DOM. To borrow from the upcoming TSD 1.11, in the DOM we put:

<html>
<!-- Placed anywhere in the page, doesn't even need to
      be in a form as the input element is hidden -->
{% csrf_token %}
</html>

Then if we used JQuery we could get that piece of the DOM:

var csrfToken = $('[name=csrfmiddlewaretoken]').val();  // jQuery

Hopefully you did not turn off CSRF 馃槣

picture pydanny on 21 Apr 2017
👍2

All 6 comments

Do any of the examples of stack overflow suffice?

pydanny picture pydanny on 4 Mar 2017

@pydanny what kind of examples are you talking about? I haven't seen examples that show how to read httpOnly cookies via JS because that's what they designed for - to prevent such kind of reading.

shoad picture shoad on 4 Mar 2017

When CSRF_COOKIE_HTTPONLY you can't grab CSRF token from cookies. To make it work, you have to inject it from the DOM. To borrow from the upcoming TSD 1.11, in the DOM we put:

<html>
<!-- Placed anywhere in the page, doesn't even need to
      be in a form as the input element is hidden -->
{% csrf_token %}
</html>

Then if we used JQuery we could get that piece of the DOM:

var csrfToken = $('[name=csrfmiddlewaretoken]').val();  // jQuery

Hopefully you did not turn off CSRF 馃槣

pydanny picture pydanny on 21 Apr 2017
👍2

@pydanny, what should I be worried about if CSRF_COOKIE_HTTPONLY was set to False? (AJAX app) Reference to Django contrib's comment - http://disq.us/p/12ahfh0

Thanks in advance!

wasabigeek picture wasabigeek on 8 May 2017

This setting also breaks the browsable API of django rest framework for put/patch requests. Maybe there's a good reason for this setting. But even then, why is it only True for production? It would have been much easier for me to debug this locally.

ephes picture ephes on 11 Mar 2018

Looks like there is no practical reason to keep CSRF_COOKIE_HTTPONLY = True (as per django docs)

pySilver picture pySilver on 6 Aug 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

sebastian-code picture sebastian-code  路  4Comments
StupidTAO picture StupidTAO  路  3Comments
webyneter picture webyneter  路  4Comments
vladimirmyshkovski picture vladimirmyshkovski  路  4Comments
webyneter picture webyneter  路  3Comments