Rectangle 27 0

django cookies not writtent even when I receive set cookie response header?


Ah, yes, sorry. You cannot get the csrftoken cookie easily. The only way I can think of is probably opening an iframe and sending the token to the application (its parent frame) in an event. But this approach can be quite error prone. I think it's better to be sending CSRF as a cookie. See stackoverflow.com/questions/20504846/

Cookies are included in requests automatically, so you don't need to access them in your scripts. See your request log - the csrftoken cookie is included there.

Cookies are not shared among different ports of a host (localhost in your case). The browser shows you content from localhost:4200, but the cookies are set to localhost:8000. They are correctly set and used, as can be seen in your second listing titled "Request header". So to see them in the browser, you would have to open a URL from localhost:8000. Even then the sessionid would not be listed in document.cookie(), because it's marked as "HttpOnly" (which means not available to JavaScript).

I need to do so to add CSRF token as header of request (not as cookie) this is how csrf prevension works. header key is called "X-CSRFToken" and is empty in my case which causes django to answer with 403 "missing csrf token or incorrect"

The iframe I mentioned would have to load a page from your backend. The page would contain just a script for sending the token on load and when the token changes.

ok for seesionid, what about csrftoken I need to access it (from :4200) using javascript to include it in the next request header, is this possible ?

Note
Rectangle 27 0

django cookies not writtent even when I receive set cookie response header?


Ah, yes, sorry. You cannot get the csrftoken cookie easily. The only way I can think of is probably opening an iframe and sending the token to the application (its parent frame) in an event. But this approach can be quite error prone. I think it's better to be sending CSRF as a cookie. See stackoverflow.com/questions/20504846/

Cookies are included in requests automatically, so you don't need to access them in your scripts. See your request log - the csrftoken cookie is included there.

Cookies are not shared among different ports of a host (localhost in your case). The browser shows you content from localhost:4200, but the cookies are set to localhost:8000. They are correctly set and used, as can be seen in your second listing titled "Request header". So to see them in the browser, you would have to open a URL from localhost:8000. Even then the sessionid would not be listed in document.cookie(), because it's marked as "HttpOnly" (which means not available to JavaScript).

I need to do so to add CSRF token as header of request (not as cookie) this is how csrf prevension works. header key is called "X-CSRFToken" and is empty in my case which causes django to answer with 403 "missing csrf token or incorrect"

The iframe I mentioned would have to load a page from your backend. The page would contain just a script for sending the token on load and when the token changes.

ok for seesionid, what about csrftoken I need to access it (from :4200) using javascript to include it in the next request header, is this possible ?

Note