Friday, September 27, 2013

Re: Django can not delete csrftoken after logout

Is the next request to a CSRF protected view? The Django CSRF middleware will keep sending a cookie if so.

I think the best approach to handle varnish + csrf cookies is to ignore the CSRF on any request path that doesn't need it. In other words, just because it exists doesn't mean you should vary on it.

Likewise the session cookie doesn't even need to be passed along unless the response truly does vary on the user.

On Monday, September 23, 2013 6:01:09 AM UTC-7, Joao Da Silva wrote:

Hi all

I am using varnish as a front end cache for a Django app. It all works well with regards to the VCL configuration. The issue i have is that after the user logs out the csrftoken cookie is not deleted and from then on the varnish has a MISS response instead of a HIT. After reading here on stackoverflow some related questions i have this logout view

def logout_view(request):      response = render_to_response('registration/logout.html', {}, context_instance=RequestContext(request))        if request.user.is_authenticated():          logout(request)            if request.GET.get('next', False):             response = HttpResponseRedirect(next)        response.delete_cookie('sessionid')      response.delete_cookie('csrftoken')      return response

and this Response headers after user has hit the logout page

Response Headers  Age:0  Cache-Control:max-age=600  Connection:keep-alive  Content-Language:en  Content-Type:text/html; charset=utf-8  Date:Mon, 23 Sep 2013 09:20:43 GMT  Expires:Mon, 23 Sep 2013 09:30:43 GMT  P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"  Server:nginx/1.4.1  Set-Cookie:sessionid=; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/  Set-Cookie:csrftoken=; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/  Transfer-Encoding:chunked  Vary:Cookie, Accept-Language, Host  Via:1.1 varnish  X-Cache:MISS  X-Varnish:1950616479

default.vcl for completeness:

backend default {      .host = "";      .port = "8000";  }    sub vcl_recv {      set req.grace = 15s;        if (req.http.Cookie) {          set req.http.Cookie = regsuball(req.http.Cookie, "(^|; ) *__utm.=[^;]+;? *", "\1"); # removes all cookies named __utm? (utma, utmb...) - tracking thing      }        # unless sessionid/csrftoken is in the request, don't pass ANY cookies (referral_source, utm, etc)      if (req.request == "GET" && (req.url ~ "^/static" || (req.http.cookie !~ "flash_sessionid" && req.http.cookie !~ "csrftoken"))) {          remove req.http.Cookie;      }        # normalize accept-encoding to account for different browsers      # see:      if (req.http.Accept-Encoding) {          if (req.http.Accept-Encoding ~ "gzip") {              set req.http.Accept-Encoding = "gzip";          } elsif (req.http.Accept-Encoding ~ "deflate") {              set req.http.Accept-Encoding = "deflate";          } else {                # unknown algorithm                remove req.http.Accept-Encoding;          }      }  }    sub vcl_fetch {      set beresp.ttl = 300s;      set beresp.grace = 15s;        # static files always cached       if (req.url ~ "^/static") {         unset beresp.http.set-cookie;         return (deliver);        }        # pass through for anything with a session/csrftoken set      if (beresp.http.set-cookie ~ "flash_sessionid" || beresp.http.set-cookie ~ "csrftoken") {         return (hit_for_pass);      } else {         return (deliver);      }  }    sub vcl_deliver {      # Add a header to indicate a cache HIT/MISS      if (obj.hits > 0) {          set resp.http.X-Cache = "HIT";      } else {          set resp.http.X-Cache = "MISS";      }      return (deliver);  }

On the response headers i see Django setting the cookie value to a date in the past, however the csrftokencookie still persists on the next request.

I also tried to remove the 'django.middleware.csrf.CsrfViewMiddleware' middleware but the cookie is still there.

Any tips please Thanks

You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
Visit this group at
For more options, visit

No comments:

Post a Comment