Enabling session auth and cookie auth gives csrf failed error

[mandarup]

I have these settings:

REST_SESSION_LOGIN = True
REST_USE_JWT = True
JWT_AUTH_COOKIE = 'access_token'
JWT_AUTH_REFRESH_COOKIE = 'refresh_token'
LOGOUT_ON_PASSWORD_CHANGE = True
JWT_AUTH_COOKIE_USE_CSRF = True
JWT_AUTH_COOKIE_ENFORCE_CSRF_ON_UNAUTHENTICATED = True
JWT_AUTH_HTTPONLY = True

Then login @ /dj-rest-auth/login/ this adds four cookies: csrf, access, refresh, and sessionid

Then logout @ /dj-rest-auth/logout/

This fails with error:

CSRF Failed: CSRF token from the 'X-Csrftoken' HTTP header incorrect

But if I change the settings.py option:

REST_SESSION_LOGIN = False

Then I can login and log out successfully. And as expected it doesn't set sessionid cookie.

Could you please help me understand what causes this behavior ?