11 months ago

## Django CSRF cookie not set

I have actually found a bug in Django:

Here is the issue: You cannot have a cookie which key contains either the character '[' or ']'

I discovered the solution following @Todor's link, then I found out about this SO post. Basically there was a bug in python 2.7.x that does not parse cookies with ']' in the value. The bug was fixed in 2.7.10.

I thought it would be good to just confirm this issue. So I dug through all of the cookies and found one with the following key/value:

So I inserted the following cookie locally and submitted to the server:

The login page worked, which means 2.7.10 indeed fixed the bug.

But then I realized that the square brackets are actually in the key name not in the value, so I did the following tests:

and

Both cookies break the login process and django displays:

If a invalid cookie comes before the csrftoken cookie in the Cookie field of the http request header, then Django will ignore everything after the invalid cookie, which makes Django think that the CSRF cookie is not set

I filed a bug report to Django. This bug is fixed in version 1.10 so make sure you update Django when 1.10 is released.