Support customized CSRF token cookie name · Issue #4048 · encode/django-rest-framework (original) (raw)

Skip to content

Navigation Menu

• • GitHub Copilot Write better code with AI
  • GitHub Advanced Security Find and fix vulnerabilities
  • Actions Automate any workflow
  • Codespaces Instant dev environments
  • Issues Plan and track work
  • Code Review Manage code changes
  • Discussions Collaborate outside of code
  • Code Search Find more, search less
• Explore
  • Learning Pathways
  • Events & Webinars
  • Ebooks & Whitepapers
  • Customer Stories
  • Partners
  • Executive Insights
• • GitHub Sponsors Fund open source developers
  • The ReadME Project GitHub community articles
• • Enterprise platform AI-powered developer platform
• Pricing

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sign up

Appearance settings

Description

Checklist

• I have verified that that issue exists against the master branch of Django REST framework.
• I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
• This is not a usage question. (Those should be directed to the discussion group instead.)
• This cannot be dealt with as a third party library. (We prefer new functionality to be in the form of third party libraries where possible.)
• I have reduced the issue to the simplest possible case.
• I have included a failing test as a pull request. (If you are unable to do so we can still accept the issue.)

Steps to reproduce

1. Activate SessionAuthentication for all views, or a single view.
2. Set CSRF_COOKIE_NAME to a non-default value.
3. Login.
4. Navigate to a view secured by SessionAuthentication via the Browseable API.
5. Attempt to a PATCH/POST/PUT operation.

Expected behavior

The action should be completed successfully.

Actual behavior

The action fails with HTTP status 403, and the message CSRF Failed: CSRF token missing or incorrect..

csrf.js has the cookie name hardcoded: https://github.com/tomchristie/django-rest-framework/blob/bb56ca46ed6c07db0146dbdc61c672ff25f127de/rest_framework/static/rest_framework/js/csrf.js#L36. It should instead get the cookie name from settings.