CSRF_COOKIE header used by .submit() doesn't seem to match cookieJar #75

mikemaccana opened this Issue Feb 16, 2012 · 0 comments


None yet
1 participant

Hi there,

I'm not sure of this is a bug or I'm missing something. But Tobi (which is otherwise excellent) seems to be sending a CSRF_COOKIE header that doesn't match anything in the cookieJar.

I'm positing a form using Tobi's submit() that fails CSRF verification (a regular desktop browser works fine).
The issue seems to be a difference between the form cookie and the HTTP Header.



[ { str: 'csrftoken=8a09c3f0b62939458018f74020c6744e; expires=Thu, 14-Feb-2013 15:26:31 GMT; Max-Age=31449600; Path=/',
name: 'csrftoken',
csrftoken: '8a09c3f0b62939458018f74020c6744e',
expires: Thu, 14 Feb 2013 15:26:31 GMT,
'Max-Age': '31449600',
Path: '/',
value: '8a09c3f0b62939458018f74020c6744e' },
{ str: 'sessionid=d82a0a4a691481df3fb72b8f3b9e4d8a; expires=Thu, 01-Mar-2012 15:26:31 GMT; Max-Age=1209600; Path=/',
name: 'sessionid',
sessionid: 'd82a0a4a691481df3fb72b8f3b9e4d8a',
expires: Thu, 01 Mar 2012 15:26:31 GMT,
'Max-Age': '1209600',
Path: '/',
value: 'd82a0a4a691481df3fb72b8f3b9e4d8a' } ]

However, my server received the following from Tobi's in its HTTP headers:

'CSRF_COOKIE': '347767c1a4baef48ab0272ca6ccfdf5f'

Where did the CSRF_COOKIE value come from (or more to the point, why can't I see it in cookieJar?) Has anyone encountered anything similar in the past?



Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment