I am trying to launch my application which was written using django 1.6.5 version, in a salesforce webtab iframe. I was getting a "CSRF cookie not set" error while trying to login. I understood through the console logs that in the latest version of Chrome, only allows the cookies which are set with 'secure'=True and samesite=None. I understood that these settings can be added in the settings.py in later versions of django
SESSION_COOKIE_SAMESITE = 'None'
CSRF_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
But this does not work in django 1.6.5 version. I have been trying to find out how to apply these settings in my version.
There is no support to add the samesite setting in Django 1.6.5, that is the reason the adding those in the settings.py did not work. Django 3.1 is where they started this support this setting. I tried adding my own middleware and add the setting to the cookies, but I got an invalid field error. Then I found a library I can use for this - django-cookies-samesite. I was able to apply the samesite setting to None and the secure to True, then I was able to login through salesforce web tab.
Add these in settings.py
SESSION_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SAMESITE_FORCE_ALL = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
And add this in the MIDDLEWARE_CLASSES:
'django_cookies_samesite.middleware.CookiesSameSite',
Relevant sites I got the info from:
https://github.com/django/django/pull/8380/files
https://pypi.org/project/django-cookies-samesite/
Related
Been working on my live server all day and just got it working, admin was working fine, i cleared cookies and suddenly i got the following error, and no fixes seem to be helping me. My website does have SSL yet so its still http(dont know if this has anything to do with it?)
DEBUG = False
CSRF_TRUSTED_ORIGINS = ['http://.*', 'http://example.com', 'http://www.example.com']
# HTTPS Settings
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = False
SECURE_SSL_REDIRECT = False
# HSTS Settings
SECURE_HSTS_SECONDS = 31536000
SECURE_HSTS_PRELOAD = True
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
This is the only form on my website that requires csrf_token and as you can see it already has it.
SOLVED
By adding the ip from my domain to the allowed hosts and trusted origins.
Do you have CsrfViewMiddleware in your MIDDLEWARE_CLASSES setting? Are you accessing the site non-securely (seems so) then it could not work. Try to disable CSRF_COOKIE_SECURE, CSRF_COOKIE_HTTPONLY and SESSION_COOKIE_SECURE and you will see it will work.
I moved applications to the production server and I have a problem with CSRF - Access denied (403)
CSRF verification failed. The request was aborted.
I checked in my browser and I don't have a cookie named
csrftoken
Part of my settings.py looks like this:
SECRET_KEY = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
SESSION_COOKIE_SECURE = True SESSION_COOKIE_SAMESITE = None
CSRF_COOKIE_SECURE = True CSRF_COOKIE_SAMESITE = 'Strict'
#SECURE_HSTS_SECONDS = 31536000
#SECURE_CONTENT_TYPE_NOSNIFF = True
#CSRF_COOKIE_SECURE = True
#SESSION_COOKIE_SECURE = True
#SESSION_COOKIE_SAMESITE = None
#SECURE_HSTS_PRELOAD = True
I haven't turned on HTTPS yet
Everything worked fine on the development server.
Where to find the cause and what to improve?
problem solved.
You just had to generate an SSL certificate and enable HTTPS.
This post showed me the solution Django: Forbidden (CSRF cookie not set.)
What solved it for me was to add the following to settings.py, replacing "<my_domain>" part of course.
CSRF_TRUSTED_ORIGINS = ['https://<my_domain>.com']
This code above works like magic
I'm experimenting with an app running on Angular 2 in the frontend and Django as API and I can't access the CSRF cookie sent from Django.
As you can see, I am getting back the cookie from the server but I cannot access it from the browser (document.cookie) or Angular 2 (using the ng2-cookies module).
Everything was working while testing on localhost, now client and server are running on different hosts and this might be the reason of the problem.
Client running on https://django-angular2-movies.firebaseapp.com/
Server running on https://glacial-shore-18891.herokuapp.com
This is part of the settings I'm using on Django:
settings.py
CORS_ORIGIN_ALLOW_ALL = True
CORS_ALLOW_CREDENTIALS = True
CSRF_COOKIE_SECURE = False
CSRF_TRUSTED_ORIGINS = ['django-angular2-movies.firebaseapp.com']
ALLOWED_HOSTS = ['*']
Other things that I have tried, but didn't help:
Removing the CSRF_TRUSTED_ORIGINS setting
Adding CSRF_COOKIE_DOMAIN = 'django-angular2-movies.firebaseapp.com'
Using { withCredentials: true } in the request sent from the client
Using the #ensure_csrf_cookie decorator on Django views
What am I doing wrong?
Thanks
I'm testing my django (1.6.5) app in localhost. I use django-allauth and without ssl everything was ok.
I installed django-sslserver and change as follows:
Settings.py
ACCOUNT_DEFAULT_HTTP_PROTOCOL = 'https' # allauth
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
os.environ['HTTPS'] = "on"
Api Google Console
REDIRECT URIS : http://localhost:8000/accounts/google/login/callback/
https://localhost:8000/accounts/google/login/callback/
When I logged in with my google account, I accepted the authorization, but when it's redirected back to my app, shows the error:
DoesNotExist at /accounts/google/login/callback/
User matching query does not exist.
Request URL: https://localhost:8000/accounts/google/login/callback/?state=PwKj3DsvzmNp&code=4/16ttwvGn7SIZKyHWZ9sSy8YOx7sg.4t9M4AcGcoEfoiIBeO6P2m9E6KmpkAI
allauth/socialaccount/helpers.py in _login_social_account
def _login_social_account(request, sociallogin):
**return perform_login(request, sociallogin.account.user, ...**
email_verification=app_settings.EMAIL_VERIFICATION,
redirect_url=sociallogin.get_redirect_url(request),
signal_kwargs={"sociallogin": sociallogin})
The error is in the return line.
Can you help me? Thanks! :)
I'm using Django 1.0.2 and trying to figure out how to get the #login_required working correctly.
When I use the built-in server it redirects to the default login_url, or my LOGIN_URL as defined in settings.py as expected.
What is not clear to me is how to deploy to the server where my site is not at the root. In my templates I use the url template tag, and in the views I can access request.META['SCRIPT_NAME'], but for some reason it doesn't seem to apply to the LOGIN_URL used.
What am I missing?
Thanks.
There is a setting called FORCE_SCRIPT_NAME that you should use to set the location of your script, if it's not hosted at the root directory. You can add it to the login/logout URLs:
# This is needed because we're running the app in non-root directory of web server
FORCE_SCRIPT_NAME = '/myapp.cgi/'
LOGIN_URL = FORCE_SCRIPT_NAME + 'accounts/login/'
LOGOUT_URL = FORCE_SCRIPT_NAME + 'accounts/logout/'
Reference: https://docs.djangoproject.com/en/dev/ref/settings/#force-script-name