I have spent days on trying to figure this out but am at a loss.
I am trying to make a self service password reset via email. Email works just fine. When I click the link 1 of 2 things happen depending on where it is hosted.
This is the format:
accounts/reset/Mg/d24wb2-c947d486dddaba08c087c2b8fcc=8ee5/
The issue I have is on localhost on my mac this technically works just fine. I click the link in the email (prepent 127.0.0.1:8000) and the browser then updates the url to:
/accounts/reset/Mg/set-password
The page loads correct, and I can reset my password no issue.
The real issue is this. I am trying to host this on docker. I have 1 prod and 1 dev. Both fail when you click the link it says, link expired (from HTML logic). Oddly on my docker host for dev and prod, they pass the full url: accounts/reset/Mg/
Some of the things I have tried on docker
- trying this with both gunicorn, and manage.py
- several means of settings.py options including the current:
SESSION_COOKIE_SAMESITE = ‘Lax’
If you are NOT using HTTPS (testing on a local IP like 10.0.10.140),
make sure these are False:
if MODE == “dev”:
SESSION_COOKIE_SECURE = False
CSRF_COOKIE_SECURE = False
SECURE_SSL_REDIRECT = False
SESSION_COOKIE_DOMAIN = None
else:
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
SECURE_PROXY_SSL_HEADER = (‘HTTP_X_FORWARDED_PROTO’, ‘https’)
SESSION_ENGINE = ‘django.contrib.sessions.backends.db’
SESSION_SAVE_EVERY_REQUEST = True
SESSION_EXPIRE_AT_BROWSER_CLOSE = False
SESSION_COOKIE_AGE = 1209600
PASSWORD_RESET_TIMEOUT = 259200 # 3 days in seconds (default)
The headers in broswer have a single 200 code when clicking on the link with the headers looking like this:
RESPONSE HEADERS:
cache-control
max-age=0, no-cache, no-store, must-revalidate, private
content-length
2361
content-type
text/html; charset=utf-8
cross-origin-opener-policy
same-origin
date
Fri, 09 Jan 2026 15:52:04 GMT
expires
Fri, 09 Jan 2026 15:52:04 GMT
referrer-policy
same-origin
server
WSGIServer/0.2 CPython/3.12.12
x-content-type-options
nosniff
x-frame-options
DENY
REQUEST HEADERS:
accept
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8
accept-encoding
gzip, deflate
accept-language
en-US,en;q=0.8
connection
keep-alive
cookie
jenkins-timestamper-offset=18000000; JSESSIONID.08e1fe65=node069y2x1i9mms0f04ag8a1gs5k1.node0; JSESSIONID.5b61ae3c=node0dkgt8ogtxfd115jetenq666xq0.node0; csrftoken=o4QZBpD1TAaMAznINx5fi0zznpSr6Azn
host
10.0.10.140:34567
sec-gpc
1
upgrade-insecure-requests
1
user-agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
I am at a loss here as to what is going on and I have spent too many hours trying to get this working. This is for a non profit org, and the djago app is bascially done, and just need this last thing to work, any help would be so much appreciated