https://www.jianshu.com/p/9346bbc3a8f1

一般我們認為cookie裡的csrftoken是由csrftoken middleware所設定的，事實確實如此，但也不完全是。貼一段CsrfViewMiddleware的程式碼：

def process_response(self, request, response):
        if getattr(response, 'csrf_processing_done', False): return response # If CSRF_COOKIE is unset, then CsrfViewMiddleware.process_view was # never called, probably because a request middleware returned a response # (for example, contrib.auth redirecting to a login page). if request.META.get("CSRF_COOKIE") is None: return response # 重點在這裡 if not request.META.get("CSRF_COOKIE_USED", False): return response # Set the CSRF cookie even if it's already set, so we renew # the expiry timer. response.set_cookie(settings.CSRF_COOKIE_NAME, request.META["CSRF_COOKIE"], max_age=settings.CSRF_COOKIE_AGE, domain=settings.CSRF_COOKIE_DOMAIN, path=settings.CSRF_COOKIE_PATH, secure=settings.CSRF_COOKIE_SECURE, httponly=settings.CSRF_COOKIE_HTTPONLY ) # Content varies with the CSRF cookie, so set the Vary header. patch_vary_headers(response, ('Cookie',)) response.csrf_processing_done = True return response 
 

這段程式碼的重點在於對CSRF_COOKIE_USED的檢查，如果沒有設定，middleware會直接返回response而不在cookie裡設定csrftoken。
而CSRF_COOKIE_USED是在哪設定的呢？有幾種途徑：

1. 手動設定。在你的view裡新增request.META["CSRF_COOKIE_USED"] = True
2. 手動呼叫csrf middleware的get_token(request)或rotate_token(request)方法