Hi everyone.I am new to the domain of software engineering so I may not use the best terms to describe my situation! but i look forward to any advice or feedback anyone has.
I have started working on a pre-existing projject that has multiple docker containers.
Django is being used inside a container, and there is another container serving the front end (Angular/Apache).
I have had major grief in getting authentication and session cookies to be accepted by the browser in this setting which is cross origin I believeâŚ
My HTTP requests are set to send to a URL (document.location.hostname), they are set to crossDomain and they are set to withCredentials.
My CORS headers whitelist the IP address (gets rid of one CORS error in the browser!)
CORS_ALLOW_CREDENTIALS = True
SESSION_COOKIE_SAMESITE = âNoneâ
SESSION_COOKIE_SECURE = True
and then here i seem to get my probelms starting in that the cookies MUST be secure if samesite is None - so then my requests have to be HTTPS for the browser to attach a secure cookie to the request.
Django itself doesnât do https/SSL stuffâŚ
I am using django_extensions with runserver_plus as a workaround atm.
This app runs on a local network behind a lot of security and doesnât âneedâ to be secure.
Is there away to modify Django Cors or cookie settings or my HTTP requests so that the cookies will without needing to be secure and needing HTTPS?
Can I somehow do a âcookie whitelistâ to just the IP address of the frontend?
Keep in mind that this doesnât matter regarding this issue. What CORS protects you against is one of your users visiting a different site that loads JavaScript in their browser that causes them to perform actions on your site.
You describe that youâre currently using Werkzeug (runserver_plus) as a âworkaroundâ. How are you planning on running it as a ânon-workaroundâ? (Please donât say ârunserverâ. Really, donât.)
You should already be using something like gunicorn or uWSGI - both of which support ssl. Or, in every deployment that we do, you run the Django app behind Apache. (Well, we donât use Apache any more, we do everything behind nginx.) You allow Apache (or nginx) to handle the ssl and proxy the request to your gunicorn (or uwsgi) instance.
Hi. Thankyou for your reply! I feel if i say too much it will only make you depressed. Lets see if i can reply without saying - runserver?
I tried to do a bit of reading âaroundâ the topic before i posted so I have already come across what you mean. I even sent a screenshot of the part of the documentation that says not to use Django as a WSGI server in production and to use it with something else.
I raised putting it behind a WSGI server or a proxy and my team did not support this action currently.A member of my team indicated that django is used for this in many projects and that there must be a solution to the cross origin requests that does NOT involve HTTPS/SSL or needing to âadd moreâ layers on top of it.
I really do appreciate your reply! It settles my mind a bit that what you said supports my research.
If youâre talking about using runserver as a production server, well, I wonât quite go so far as to say they know a lot of people who are making the same mistake. The reason I wonât say that is because I have a couple of projects running in very specific environments where runserver (actually, I use Werkzeug) is the appropriate solution.
However, I would never recommend it for general use. As you have found, the docs themselves recommend strongly against it.
Solution to the cross-origins policy? Sure - take it all out. This is all handled by configuration and middleware. Forget security and take your chances - that is an architectural decision that could be made. (Iâm not sure Iâd recommend it in the general case, but it is a choice.)
As a more serious response, ssl isnât that big of a deal anymore. With services like LetsEncrypt making certs generally available for free, it doesnât even cost anything. And with the general push toward âssl everywhereâ, itâs something youâll want to address sooner rather than later.
Thankyou again for your input.
I guess my âproblemâ which isnât really a porblem as its by design - is on the browser end more than the backend?
If i were to strip a lot out of django (which i wonât) -
would i end up in a situation where the browser will accept the âset-cookieâ and attach the cookies to requests properly - in a cross origin context - without the secure tag (and therefore without SSL/HTTPS)?
I wouldnât try to characterize this as either a âfront endâ or a âback endâ issue - it spans both, and the need to secure both sides of the communication channel.
Thereâs not a lot to strip out - itâs one middleware package to remove. (Although, itâs still possible for third-party packages to force this to be used even without the middleware - but there are ways around that too.)