CSRF verification fails when trying to login in an already logged in application Django

Question

Here is what I did:

1. I have two tabs open on my browser, and I have the login form loaded in both the tabs.

2. I login with the required credentials on first tab.

3. I again try to login by providing the credentials on the second tab.
4. I get an error on the second tab : CSRF verification failed. Request aborted.

I have used the {% csrf_token %} in my login form and CsrfViewMiddleware in settings.py.

Also, I tried the same with the default admin application and got the same error.

Answer 1

This is to be expected. The login operation rotates the CSRF token, otherwise it would be possible to use the token from outside the authenticated session.

Hence what happens in your case:

1. Retrieve login page in Tab 1 (with unauthenticated "form" CSRF token)
2. Retrieve login page in Tab 2 (with unauthenticated "form" CSRF token)
3. Login in Tab 1, CSRF "cookie" token gets cycled server side, browser cookie gets updated
4. Try to login in Tab 2, sends new cookie (tabs do not separate sessions), but old "form" token.
5. Second login request is rejected (because "form" token and "cookie" token mismatch).

This is an interaction between the fact that using multiple browser tabs do not separate sessions and the fact that the login operation cycles the "cookie" CSRF token sent to you by the server.

Any page loaded before the login operation that takes place in the same session (e.g. in a different browser tab) will now have an incorrect CSRF "form" token.