We Keep Coding

Django - CSRF problem after moving to production server

I moved applications to the production server and I have a problem with CSRF - Access denied (403)
CSRF verification failed. The request was aborted.
I checked in my browser and I don't have a cookie named
csrftoken
Part of my settings.py looks like this:
SECRET_KEY = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
SESSION_COOKIE_SECURE = True SESSION_COOKIE_SAMESITE = None
CSRF_COOKIE_SECURE = True CSRF_COOKIE_SAMESITE = 'Strict'
#SECURE_HSTS_SECONDS = 31536000
#SECURE_CONTENT_TYPE_NOSNIFF = True
#CSRF_COOKIE_SECURE = True
#SESSION_COOKIE_SECURE = True
#SESSION_COOKIE_SAMESITE = None
#SECURE_HSTS_PRELOAD = True
I haven't turned on HTTPS yet
Everything worked fine on the development server.
Where to find the cause and what to improve?

problem solved.
You just had to generate an SSL certificate and enable HTTPS.
This post showed me the solution Django: Forbidden (CSRF cookie not set.)

What solved it for me was to add the following to settings.py, replacing "<my_domain>" part of course.
CSRF_TRUSTED_ORIGINS = ['https://<my_domain>.com']
This code above works like magic

How to solve facebook django url social-auth-app-django problem?

Im trying to have social-auth-app-django facebook on my website and im getting this error, on localhost everything works but now when i changed settings to my website it isn't work :(
My settings.py:
LOGIN_URL='Logowanie'
LOGIN_REDIRECT_URL = 'MeetMe!'
SOCIAL_AUTH_FACEBOOK_KEY = '***********' # App ID
SOCIAL_AUTH_FACEBOOK_SECRET = '***********' # App Secret
SOCIAL_AUTH_LOGIN_REDIRECT_URL = '/przekierowanie/'
SOCIAL_AUTH_FACEBOOK_SCOPE = [
'email',
]
SECURE_SSL_REDIRECT = True
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
SOCIAL_AUTH_REDIRECT_IS_HTTPS = True

I solve it on my own !
What i did:
added to settings.py
SOCIAL_AUTH_FACEBOOK_API_VERSION = '2.11'
i followed this tutorial
no such table: social_auth_usersocialauth
1.pip install python-social-auth==0.2.21
2.pip install social-auth-app-django
3.Set Django's app list and the backend-related settings according to the settings paragraph of the migration page.
4.Apply migrations: python manage.py migrate
5.Uninstall the old package: pip uninstall python-social-auth
i set on developers facebook status to live
Domain:
domain.pl
Url:
https://domain.pl
Valid OAuth Redirect URIs:
https://domain.pl/oauth/complete/facebook/

First Go To Setting.py And Put This Code End Of All Codes:
AUTHENTICATION_BACKENDS = [
'social_core.backends.facebook.FacebookOAuth2',
]
Second Go To FaceBook Developer In This Address :
https://developers.facebook.com
And Make One Account There.
After go To My Apps And Then Click On Create App And Then Put Your Website Name ((Attention...If You Use Your Local Host You Need To Put One Domain Name For Your Local Ip)) And Your Email And Click On Create App ID And In Your Dashboard Looking For Facebook Login And Click On Set Up .
And Then In First Step In Web Window Put Your WebSite Name For Local Host For Example Put mysite.com:8000/ And Click On Save And Other Options Just Cross .
Now In Your Dashboard On The Left Side Click On Setting And Then Basic If You See Your APP ID And Your APP SECRET Put This Two In Your Settings.py After That Last Code .
SOCIAL_AUTH_FACEBOOK_KEY = 'Put Your App Id Code Here'
SOCIAL_AUTH_FACEBOOK_SECRET = 'Put Your App Secret Code Here'
If You Want To Take User's Email Also You Can You This As Well .
SOCIAL_AUTH_FACEBOOK_SCOPE = ['email']
Now In You Dashboard Go To Settings And After Go To Basic An In Field App Domains Put Your Website Name Also Go To Settings After Advanced And Put Website Name In Domain Manager With CLick On Add a Domain .
Now Again In Dashboard Go In Products+ Part And Click On Facrbook Login After Settings And Check These Option Be Active(Yes) :
• Client OAuth Login
• Web OAuth Login
• Enforce HTTPS
• Embedded Browser OAuth Login
And IN This Form Your Are Now Also Go In This Field Valid OAuth Redirect URIs And Put This URL :
exapmle.com/social-auth/complete/facebook/
And Put Your Button In Your Website Page That Have This Login Auth :
<li>
Sign in with Facebook
</li>

Django Microsoft AD Authentication

I noticed that this question was repeated few times, but still, from all the resources, I couldn't manage to make it work properly.
I'm simply trying to use Azure Active Directory authentication with my Django app.
I am using this module, and I configured everything as noted in the docs.
The thing is - I can't figure out where should user enter the credentials - since the module has only
one url ('auth-callback/'). I can't find out how to jump to Microsoft login html page. Should I use my login.html or?
Also, I guess that 'auth-callback/' url is obviously a callback URL, which comes after the login page.
I am using django auth.views LoginView for login, and custom login.html page.
In terms of Redirect URI's I configured redirect URI to match directly the 'http://localhost:8000/microsoft/auth-callback/' url, which is also how it needs to be I guess.
Main problem is - where can I enter the credentials for login? :)
Also, when I try this - I get invalid credentials error on my Admin login page :
Start site and go to /admin and logout if you are logged in.
Login as Microsoft/Office 365/Xbox Live user. It will fail. This will automatically create your new user.
Login as a Password user with access to change user accounts.
Quick Edit :
I noticed that when i go to django/admin page '..../admin/login' inside the console i have this error :
https://static/microsoft/css/login.css Failed to load resource (404)
https://static/microsoft/js/login.js Failed to load resource (404)
Where can i get those files?
Let's jump to my code :
settings.py
INSTALLED_APPS = [
...
'django.contrib.sites',
'microsoft_auth',
...
]
#Choped from templates
'context_processors': [
...
'microsoft_auth.context_processors.microsoft',
],
AUTHENTICATION_BACKENDS = [
'microsoft_auth.backends.MicrosoftAuthenticationBackend',
'django.contrib.auth.backends.ModelBackend',
]
SITE_ID = 1
LOGIN_REDIRECT_URL = 'main:index'
LOGOUT_REDIRECT_URL = 'main:index'
LOGIN_URL = '/'
LOGOUT_URL = '/'
# AZURE AUTH CONFIG
MICROSOFT_AUTH_CLIENT_ID = 'THIS IS MY CLIENT KEY'
MICROSOFT_AUTH_CLIENT_SECRET = 'THIS IS MY SECRET KEY'
MICROSOFT_AUTH_TENANT_ID = 'THIS IS MY TENANT KEY'
# include Microsoft Accounts, Office 365 Enterpirse and Azure AD accounts
MICROSOFT_AUTH_LOGIN_TYPE = 'ma'
And my urls.py
...
path('microsoft/', include('microsoft_auth.urls', namespace='microsoft')),
...
Thank you all in advance.

django-microsoft-auth uses the standard django login page and extends that. My guess is that your custom login page is interfering with that. You could try removing that view and test again to see if the login appears at /admin.
The files should be coming from the django-microsoft-auth package. You could try uninstalling and reinstalling it again with pip

CSRF_COOKIE_SAMESITE equivalent for django 1.6.5

I am trying to launch my application which was written using django 1.6.5 version, in a salesforce webtab iframe. I was getting a "CSRF cookie not set" error while trying to login. I understood through the console logs that in the latest version of Chrome, only allows the cookies which are set with 'secure'=True and samesite=None. I understood that these settings can be added in the settings.py in later versions of django
SESSION_COOKIE_SAMESITE = 'None'
CSRF_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
But this does not work in django 1.6.5 version. I have been trying to find out how to apply these settings in my version.

There is no support to add the samesite setting in Django 1.6.5, that is the reason the adding those in the settings.py did not work. Django 3.1 is where they started this support this setting. I tried adding my own middleware and add the setting to the cookies, but I got an invalid field error. Then I found a library I can use for this - django-cookies-samesite. I was able to apply the samesite setting to None and the secure to True, then I was able to login through salesforce web tab.
Add these in settings.py
SESSION_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SAMESITE_FORCE_ALL = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
And add this in the MIDDLEWARE_CLASSES:
'django_cookies_samesite.middleware.CookiesSameSite',
Relevant sites I got the info from:
https://github.com/django/django/pull/8380/files
https://pypi.org/project/django-cookies-samesite/

Can't access csrf cookie sent by server via Set-Cookie (Django + Angular2)

I'm experimenting with an app running on Angular 2 in the frontend and Django as API and I can't access the CSRF cookie sent from Django.
As you can see, I am getting back the cookie from the server but I cannot access it from the browser (document.cookie) or Angular 2 (using the ng2-cookies module).
Everything was working while testing on localhost, now client and server are running on different hosts and this might be the reason of the problem.
Client running on https://django-angular2-movies.firebaseapp.com/
Server running on https://glacial-shore-18891.herokuapp.com
This is part of the settings I'm using on Django:
settings.py
CORS_ORIGIN_ALLOW_ALL = True
CORS_ALLOW_CREDENTIALS = True
CSRF_COOKIE_SECURE = False
CSRF_TRUSTED_ORIGINS = ['django-angular2-movies.firebaseapp.com']
ALLOWED_HOSTS = ['*']
Other things that I have tried, but didn't help:
Removing the CSRF_TRUSTED_ORIGINS setting
Adding CSRF_COOKIE_DOMAIN = 'django-angular2-movies.firebaseapp.com'
Using { withCredentials: true } in the request sent from the client
Using the #ensure_csrf_cookie decorator on Django views
What am I doing wrong?
Thanks