Decorator @login_required not working on another computers

LeoneJordao · September 19, 2022, 12:57am

I have one local project with two applications in development that work perfectly when used on my computer (host), but do not work properly when used on another devices at the same network.

Flow:
User enters login page, insert username and password, the view checks if user is valid, authenticates and redirects to the second application. All with Django built-ins methods and libs (authenticate()
& login(), for example).
The second application, upon receiving the request, checks via the @login_required decorator if the user is logged in and renders the page template.

Problem:
Everything works as expected, but the @login_required decorator send the user to LOGIN_URL page. This occurs only when i try to login using another computers/devices. The username and password are valid.

Settings.py

ALLOWED_HOSTS = ['*'] #allow access

views.py (second app)

from django.shortcuts import render, redirect
from django.contrib.auth.decorators import login_required
from django.contrib.auth import views as auth_views
from autenticacao.models import Profile
import datetime
import logging

@login_required
def script_inicio(request):
	logging.warning('Will log this if @login_required returns True')
	return render(request, 'ops/inicio.html')

Server running using…:
$ python manage.py runserver 0.0.0.0:8000

Logs when i access via host (everything ok)

WARNING:root:Instruction login_def(request, user) passed!!
WARNING:root:Other instructions passed!
WARNING:root:Redirecting to main page of another app
[18/Sep/2022 21:44:48] "POST /login/ HTTP/1.1" 302 0
[18/Sep/2022 21:44:48] "GET /ops HTTP/1.1" 301 0
WARNING:root:Will log this if @login_required returns True
[18/Sep/2022 21:44:49] "GET /ops/ HTTP/1.1" 200 38664
[...]
[18/Sep/2022 21:44:49] "GET /static/assets/fonts/unicons.woff2?34404611 HTTP/1.1" 200 147808

Logs when i access via another device in same network

WARNING:root:Instruction login_def(request, user) passed!!
WARNING:root:Other instructions passed!
WARNING:root:Redirecting to main page of another app
[18/Sep/2022 21:47:49] "POST /login/ HTTP/1.1" 302 0
[18/Sep/2022 21:47:49] "GET /ops/ HTTP/1.1" 302 0
[18/Sep/2022 21:47:49] "GET /login?next=/ops/ HTTP/1.1" 301 0
[18/Sep/2022 21:47:49] "GET /login/?next=/ops/ HTTP/1.1" 200 5027

Using another device, the view doesn’t render the logging message:
WARNING:root:Will log this if @login_required returns True

I checked the django_session table in my db and in both cases the backend creates a session_key, session_data and expire_date.

How can i fix it?

KenWhitesell · September 19, 2022, 1:13am

You need to look closer to verify that the authentication worked.

Your GET /ops/ is redirecting back to the login page which means the @login_required is returning false - the request is not authenticated.

LeoneJordao · September 19, 2022, 2:19am

After so many hours, i fix the problem.

In settings.py the SESSION_COOKIE_SECURE was set True by default.
I set SESSION_COOKIE_SECURE to False and works like a charm.

Apparently, for requests coming from the host, there are no secure cookie checks. For requests coming from outside, the parameter is used.