17👍
Here is the issue: You cannot have a cookie which key contains either the character ‘[‘ or ‘]’
I discovered the solution following @Todor’s link, then I found out about this SO post. Basically there was a bug in python 2.7.x that does not parse cookies with ‘]’ in the value. The bug was fixed in 2.7.10.
I thought it would be good to just confirm this issue. So I dug through all of the cookies and found one with the following key/value:
key: BDRCVFR[feWj1Vr5u3D]
val: I67x6TjHwwYf0
So I inserted the following cookie locally and submitted to the server:
key: test
val: BDRCVFR[feWj1Vr5u3D]
The login page worked, which means 2.7.10 indeed fixed the bug.
But then I realized that the square brackets are actually in the key name not in the value, so I did the following tests:
key: [
val: I67x6TjHwwYf0
and
key:]
val: I67x6TjHwwYf0
Both cookies break the login process and django displays:
CSRF cookie not set
So either django or a python library it relies on cannot parse cookies with square brackets in names properly. If anybody knows where I should submit this bug please let me know (django or python).
I would like to thank everybody who left a comment in the OP: @raphv, @trinchet, @Phillip, @YPCrumble, @PeterBrittain and @Todor. Thank you guys so much for debugging with me!
Update: July 20, 2016
This bug is fixed in Django 1.10, just have to wait for the release
Update: July 19, 2016
I filed a bug report to Django as the result of this post. We will see if it will be fixed in future releases.