Django SESSION_COOKIE_DOMAIN on localhost - django

When I set SESSION_COOKIE_DOMAIN = '.mysite.com' and then run the production site, the site creates the proper cross domain cookie and it's set to .mysite.com. However, if I set SESSION_COOKIE_DOMAIN = '.localhost' and run the local development server at localhost:8000 the cookie that is created is the non-cross domain cookie localhost.
Why might this be the case?
Thanks.

This has to do with how browsers and cookies work. Because you're not allowed to set cookies to something like .com, you can't set it as .localhost either.
You can check out more here: https://code.djangoproject.com/ticket/10560. Looks like there's no real solution within Django for this. I do wish they would warn us though rather than just break.
I don't have a good solution though. For testing you could set your hosts file to use something like test.com instead of localhost to point to your runserver.

for dev server, you can just use
SESSION_COOKIE_SECURE= False #default use just to override your prod setting
SESSION_COOKIE_DOMAIN= None #default use just to override your prod setting
or you can resolve domain name with the host's file
SESSION_COOKIE_DOMAIN= '.localhost'
Or something like this
SESSION_COOKIE_SECURE= False
SESSION_COOKIE_DOMAIN= "127.0.0.1"

You can't set SESSION_COOKIE_DOMAIN = '.localhost' because of browsers security features. (cf Django issue 10560)
However if you have foo.localhost:8000 and bar.localhost:8000 you can
switch to foo.dev.localhost:8000 and bar.dev.localhost:8000 and set
SESSION_COOKIE_DOMAIN = '.dev.localhost'
SESSION_COOKIE_NAME = "youcustomcookiename"

Related

How to set ALLOWED_HOSTS Django setting in production when using Docker?

I always set my ALLOWED_HOSTS from an environment variable in Django. In my development .env I always set ALLOWED_HOSTS=.localhost,.127.0.0.1 and in production ALLOWED_HOSTS=mydomain.dom,my_ip_address
Now I am currently getting acquainted with Docker, and the question is what is the value of the ALLOWED_HOSTS in production. Should it remain as localhost, since I understand localhost will refer to the host container or should I set it as my domain. I am using Nginx for reverse proxy to forward requests.
You should set it to your domain. ALLOWED_HOSTS is used to determine whether the request originated from the correct domain name.
If you look at the docs for ALLOWED_HOSTS, you'll see that it is compared to the request's Host header, which is set by the User agent of the person visiting your site.
So although the Docker container is serving to it's own localhost, the request is originating from example.com
Check out this part of the docs to see exactly why host header validation is necessary, and you will probably better understand the purpose of ALLOWED_HOSTS
You can just use your regular domain/IP address. ALLOWED_HOSTS has to do with the headers of the user matching the IP of the server. The internal mechanics on the server are not the concern of it.
ALLOWED_HOSTS=mydomain.dom,my_ip_address
Is what you should go with.
Thanks for the answers and I did confirm its true. I would like to add that I also remembered that this can be confirmed by adding your domain to /etc/hosts pointing to 127.0.0.1. If the domain is not included in /etc/hosts, Django will throw a debug error telling you that the domain is not added to ALLOWED_HOSTS

Django error when entering from multiple domains

I'm by setting two domains that point to the same IP of Django, but I can just logging in to one, on the other just will not let me, from the admin or web always redirects me to the logging box, tried everything but nothing.
In test environment I have django running on runserer and the / etc / hosts as follows:
# This if it works
127.0.0.1 talleres.host1.com
# This one does not work
127.0.0.1 talleres.host2.com
I think the problem is with django but not to start looking, anyone know about this?
Make sure your ALLOWED_HOSTS looks like this:
ALLOWED_HOSTS = ['.host1.com',
'.host2.com',]

Set domain for cookie (localhost) in IE

I need to set cookie's domain for localhost and I'm using internet explorer. I tried:
Response.Cookies["MyCookie"].Domain = ".local";
but it didn't work, because cookies value and domain are later set to null. Any idea?
Thanks
I suppose this question is related to your local development environment. localhost does not map to the local domain, e.g. pinging localhost.local should not work.
In Windows environments I successfully worked with domain cookies by updating the hosts file with a statement like this:
127.0.0.1 localhost localhost.domain.com
Now you can point your browser to localhost.domain.com and set the cookie's domain property to domain.com. You may need to make this FQDN available to your runtime (in e.g. Tomcat it worked out of the box).

Django- session cookies and sites on multiple ports

I have multiple Django projects running on one server using gunicorn and nginx. Currently they are each configured to run on a unique port of the same IP address using the server directive in nginx. All this works fine.
...
server {
listen 81;
server_name my.ip.x.x;
... #static hosting and reverse proxy to site1
}
server {
listen 84;
server_name my.ip.x.x;
... #static hosting and reverse proxy to site2
}
...
I came across a problem when I had 2 different projects open in 2 tabs and I realized that I could not be logged into both sites at once (both use the built-in Django User model and auth). Upon inspecting the cookies saved in my browser, I realized that the cookie is bound to just the domain name (in my case just an ip address) and it does not include the port.
On the second site, I tried changing SESSION_COOKIE_NAME annd SESSION_COOKIE_DOMAIN, but it doesn't seem to be working and with these current settings I can't even log in.
SESSION_COOKIE_DOMAIN = 'my.ip.x.x:84' #solution is to leave this as default
SESSION_COOKIE_NAME = 'site2' #just using this works
SESSION_COOKIE_PATH = '/' #solution is to leave this as default
#site1 is using all default values for these
What do I need to do to get cookies for both sites working independently?
Just change the SESSION_COOKIE_NAME. The SESSION_COOKIE_DOMAIN doesn't support port numbers afaik. So they are all the same for your apps.
Another solution that doesn't require hard-coding different cookie names for each site is to write a middleware that changes the cookie name based on the port the request came in on.
Here's a simple version (just a few lines of code).

What is the correct value for SESSION_COOKIE_DOMAIN if my Django site is set up on a subdomain?

I have constant problem with cookies on my Django site which is set up on a subdomain. It works for a couple of days, then message 'your browser doesn't accept cookies' appears on a login page. I need to restart my web server to make it work for a couple of next days and this cycle repeats.
This is really frustrating. I am not sure what am I doing wrong. I suspect that SESSION_COOKIE_DOMAIN might be set to a wrong value. What is the proper way to set it?
SESSION_COOKIE_DOMAIN =
'subdomain.domain.com'
SESSION_COOKIE_DOMAIN =
'.domain.com'
SESSION_COOKIE_DOMAIN =
''
other?
Any help is appreciated. It behaves very strange for me (I mean that everything works after web server is restarted...). Maybe the problem lies in configuration of web server?
Looks like:
SESSION_COOKIE_DOMAIN = 'domain.com'
solved the problem.
Hope this helps someone.