Django Session Cookie not being set

calcanisa · October 16, 2023, 7:51am

I have a Django application I just moved to production. I am unable to make the site display I am logged in. It works fine on my local machine and I do not see any errors in production and the username and password is correct. The problem the session cookie is not being set and my settings are correct I believe. Here are my settings related to sessions:

DEBUG = False

ALLOWED_HOSTS =  ["localhost","102.219.85.91","founderslooking.com","app.founderslooking.com"]

CORS_ALLOWED_ORIGINS = [
    "http://localhost:8080",
    "http://127.0.0.1",
    "http://localhost:file",
    "http://app.founderslooking.com",
]

CORS_ORIGIN_ALLOW_ALL = True

CORS_ALLOW_CREDENTIALS = True

SESSION_COOKIE_SAMESITE = None

SESSION_COOKIE_DOMAIN = "founderslooking.com"

#SESSION_COOKIE_SECURE = False

CSRF_TRUSTED_ORIGINS = ["http://localhost", "http://*.127.0.0.1", "http://app.founderslooking.com",]

INTERNAL_IPS = [
    "127.0.0.1",
]

I am not using https because I am only testing the site until I am sure everything works, then I will switch over to https.

Why is the session cookie not being set?

The application is on a VPS using Ubuntu, Gunicorn, Nginx and Supervisord

antoinehumbert · October 16, 2023, 7:15pm

It looks like you have some cross origin requests somewhere between founderslooking.com and app.founderslooking.com.

Can you describe what is the purpose of each domain ? Do you have a frontend served by one domain and the backend served by the other one ?

What is the domain serving the login url ?

In your browser developer tools, do you see the session cookie set in the response of the login url ? If so, can you give the characteristics of this
cookie ? Then, on subsequent requests for which you would expect the session cookie to be sent, can you see it in the request’s headers ? What is an example url for such request ?

calcanisa · October 17, 2023, 5:03am

Hello thanks for posting. app.founderslooking.com is a Vue application and founderslooking.com is a Django app with some pages and a REST API that provide data to the Vue app. I managed to get it working if I cleared the history and logged in again. Problem however is it somehow does not remember the cookie, because this morning when I accessed the site I got a CORS error which got fixed after I again cleared all the history and logged back in. Really not sure why it does not respect the same cookie from yesterday if it was still present in my browser this morning?

calcanisa · October 18, 2023, 4:49pm

so it seems to happen every time. If I log into the site then I go to my Vue app I can see my data because it gets it from the API but if I want to post something I get that CORS error:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://founderslooking.com/api/v1/profiles/founders/1/u/. (Reason: CORS request did not succeed). Status code: (null).

So what are my settings then supposed to be so I can make requests from app.founderslooking.com to founderslooking.com?

Topic		Replies	Views
Cannot access admin if setting is set. Cannot access website if setting is not set Deployment	1	260	October 13, 2023
django why cookie not sending to client browser? Deployment	3	538	December 17, 2023
csrftoken cookie not being set when accessing site from local network Forms & APIs	8	3354	March 5, 2023
Getting Forbidden (CSRF cookie not set.): while trying to login to Django Admin Page Mystery Errors	11	18779	May 2, 2023
Cookie set not working with django and next js app hosted on azure and confiured to use custom domain Mystery Errors	1	405	February 6, 2024

Django Session Cookie not being set

Related Topics