Good evening!
I’m trying to set up an API using DRF and authenticate users through sessions. And during testing I have faced the following problem:
- I am logging the user in: it comes through and the response contains two cookies, sessionid and csrftoken
- However, no cookies have been set and I can’t see them in the browser, nor do they exist in document.cookie
- I am sending a PATCH/POST/PUT/DELETE request (that requires an X-CSRFToken header) and all I get is this error:
{“detail”:“CSRF Failed: CSRF token from the ‘X-Csrftoken’ HTTP header has incorrect length.”}
This is because when I try to get csrftoken cookie value from cookies, it returns an empty string. No cookies have been set.
Sessionid cookie works as intended as it’s HttpOnly and does not need to be saved. Csrftoken on the other hand I need to access because session authentication requires passed X-CSRFToken header with every unsafe request.
Here’s how I make a request to log the user in:
fetch("https://myserveratpythonanywhere.com", { method: "POST", credentials:"include", body: JSON.stringify({ username: "loginTest", password: "passwordTest" }), headers: { "Content-type": "application/json; charset=UTF-8" }, mode: 'cors' })
And here’s part of my settings that concern CORS and CSRF:
CORS_ALLOWED_ORIGINS = [ 'https://myClient.site' ] CORS_ALLOW_CREDENTIALS = True CORS_EXPOSE_HEADERS = [ 'Set-Cookie' ] CSRF_TRUSTED_ORIGINS = [ 'https://myClient.site' ] CSRF_COOKIE_SAMESITE = 'None' CSRF_COOKIE_SECURE = True CSRF_COOKIE_HTTPONLY = False CSRF_USE_SESSIONS = False SESSION_COOKIE_SAMESITE = 'None' SESSION_COOKIE_SECURE = True
I don’t know if it’s relevant, but here’s the login view:
@action(detail=False, methods=['post']) def login(self, request): serializer = serializers.LoginSerializer(data=self.request.data, context={ 'request': self.request }) serializer.is_valid(raise_exception=True) user = serializer.validated_data['user'] login(request, user) return Response(None, status=status.HTTP_202_ACCEPTED)
I am totally lost as to why the csrftoken cookie does not set, even though I disabled HttpOnly property and configured samesite policy to None; Secure while sending a request via https.
Any help will be appreciated!
Thank you in advance.