csrftoken cookie not being set when accessing site from local network

Using Django Forms & APIs
1

Hi all,

I have a Django website that works well at http://localhost:8000. I configured my PC to make my site visible from other devices in the same local network. To connect to the site, they connect via http://localserver:8000, and they can see the website. The issue is that the csrftoken cookie is not being set when the site is visited from the URL http://localserver:8000 (it works fine when accessed from http://localhost:8000). The language cookie is set when I delete it and refresh the browser, though.

I have tried the following things without success:

  • Force setting the cookie with the decorator @ensure_csrf_cookie.
  • Add configurations to the settings.py file, including:
CORS_ALLOW_CREDENTIALS = True
CORS_ALLOW_ALL_ORIGINS = True
CORS_ORIGIN_WHITELIST = ("http://localhost:8000", "http://localserver:8000",)
CSRF_TRUSTED_ORIGINS = ("http://localhost:8000", "http://localserver:8000",)
CSRF_COOKIE_SECURE = False
CSRF_COOKIE_HTTPONLY = False
SESSION_COOKIE_SAMESITE = False
SESSION_COOKIE_DOMAIN = "http://localserver:8000"

None of these things seem to work. I also tried the following suggestions I received:

  • Verify that the csrftoken cookie is actually being set when accessing the site at http://localhost:8000.
  • Make sure that the ensure_csrf_cookie decorator is applied to the correct view function.
  • Try setting the SESSION_COOKIE_DOMAIN setting to "localserver" instead of "http://localserver:8000".
  • Verify that the CORS middleware is correctly installed and configured.
  • Verify that the hostname localserver resolves to the correct IP address of the machine.

Unfortunately, none of these suggestions worked, and I am still unable to set the csrftoken cookie when accessing the site from other devices on my local network (or even from the server with the address http://localserver:8000). Also, disabling CSRF protection is not a good solution for me.

I would greatly appreciate any further suggestions or advice on how to resolve this issue.

Thank you!

2

First, is CORS necessary here? Are they running JavaScript code being loaded in a page from a different server that is trying to access your server? (If not, then CORS isn’t relevent here.)

Have you looked at the browser’s developer tools to see if the cookie is included in the response from the server?

(Did you try not specifying the port numbers in the CSRF and COOKIE settings? There’s one of these settings that you don’t specify a port, I don’t remember right off-hand which one it is. Maybe it’s both?)

The SESSION_COOKIE_DOMAIN definitely does not include the scheme. It should be “localserver”. However, in general, unless you’re sharing cookies across servers in a DNS domain, I’d recommend removing that setting.

I’d also suggest removing the SESSION_COOKIE_SAMESITE setting unless you have an identified need for it.

3

Thanks you for your time and response.

I followed all your recommendations and still the problem persist.

The cookie is included in the response but it show a warning: This attempt to set a cookie via a Set-Cookie was blocked because it had the "Secure" attribute but was not received over a secure connection.

We don’t have SSL in our local network and I it would be overwhelming trying to implement that.

4

Which cookie was throwing that error? You should be able to address that specific one.

5

The cookie is csrftoken

6

When I look at the Set-Cookie header from one of my local dev sites, I see:

csrftoken=XLfNKKz1JEvfCaREmddhIQzzhjQvcv8S; expires=Fri, 01 Mar 2024 17:33:20 GMT; Max-Age=31449600; Path=/; SameSite=Lax

So to confirm, you’re seeing effectively the same cookie but with Secure in the cookie?

Is this the only cookie being set? (There can be multiple Set-Cookie headers.)

Double/triple check your CSRF_COOKIE_SECURE setting to ensure it’s not commented out or overridden later on in your settings file.

It might also be worth logging (or printing) its value in the view that is causing this to happen, just to verify that there’s not something else going on.

Side note items: What versions of Python and Django are you running? What wsgi container are you using to host your server? Are you using any third-party packages that may be affecting these cookies?

7

Triple checked your CSRF_COOKIE_SECURE. After printing the value of CSRF_COOKIE_SECURE at the end of the file settings.py I got the the value False.

I’m using Django 4.1.6 and python 3.10.7
Server: WSGIServer/0.2 CPython/3.10.7

8

Are you using any decorators or mixins on the view where this is happening?

It may also be worth checking that settings value in the view to verify it hadn’t been changed.

Are you running this behind a web server, or running this directly? If behind a web server, what web server are you running?

Do you have any middleware installed other than the Django-provided defaults?

Also, please confirm the previous questions:

  • So to confirm, you’re seeing effectively the same cookie but with Secure in the cookie?
  • Is this the only cookie being set? (There can be multiple Set-Cookie headers.)
9

Just as a follow-up here, I am unable to recreate the symptoms that you are describing in my test lab based upon the information that you have provided here along with my corrections.

That leads me to believe that there’s some other factor involved that hasn’t been mentioned yet. Since I don’t know your project or your environment, it’s up to you to try and identify what those factors may be.