All geek questions in one place

Why doesn't Django create CSRF or session cookies behind the proxy server?

Running Django 1.2.5 on a Linux server with Apache2, and for some reason, Django seems to be unable to store CSRF or session cookies. So when I try to log into the Django admin, it gives me a CSRF validation error when submitting the login form. Has anyone opposed this and found a solution?

I can make a valid post when I try this at the address of my VPS that was provided by my host. Example: vps123.hostdomain.com/admin/, and cookies will be set for this domain. However, when I go to www.sitedomain.com/admin/ and try to log in, I get a CSRF 403 error stating that the cookie does not exist, and when I check the files of my browsers, they are not installed.

I tried to set the following in my settings file:

SESSION_COOKIE_DOMAIN = 'www.sitedomain.com' CSRF_COOKIE_DOMAIN = 'www.sitedomain.com'

Also tried:

 SESSION_COOKIE_DOMAIN = 'vps123.hostdomain.com' CSRF_COOKIE_DOMAIN = 'vps123.hostdomain.com'

I have "django.middleware.csrf.CsrfViewMiddleware" added to my MIDDLEWARE_CLASSES in settings.py and there is a CSRF token in the form and it displays in POST.

I have cookies. I tried this on several browsers and machines.

There is a proxy server on www.sitedomain.com, which I think may be part of the problem. Anyone with experience with proxies and Django can shed some light on this.

My apache2 configurator:

 NameVirtualHost *:80 <VirtualHost *:80> ServerName www.sitedomain.com ServerAlias www.sitedomain.com <Location "/"> Options FollowSymLinks SetHandler python-program PythonInterpreter nzsite PythonHandler django.core.handlers.modpython PythonDebug On PythonPath "['/var/www/django_projects', '/var/www', '/usr/lib/python2.6/dist-packages'] + sys.path" SetEnv DJANGO_SETTINGS_MODULE project_one.settings </Location> <location "/phpmyadmin"> SetHandler None </location> </VirtualHost> <VirtualHost *:80> ServerName othersite.sitedomain.com ServerAlias othersite.sitedomain.com <Location "/"> Options FollowSymLinks SetHandler python-program PythonInterpreter ausite PythonHandler django.core.handlers.modpython PythonDebug On PythonPath "['/var/www/django_projects', '/var/www', '/usr/lib/python2.6/dist-packages'] + sys.path" SetEnv DJANGO_SETTINGS_MODULE project_two.settings </Location> <location "/phpmyadmin"> SetHandler None </location> </VirtualHost>
+6
source share
3 answers

The problem was that I have a Varnish proxy in front of my site. Varnish accepted requests and removed cookies from them. To fix this, I had to have a company that runs the Varnish server, add '/ admin' to the exclusion list so that cookies can be passed. Sorry, I can’t shed more light on how the varnish works.

+3
source

Do you include {{csrf_token}} in your form template?

 <form autocomplete="off" method="post" action="{% url auth_login %}">{% csrf_token %} {{form|as_p}} <input type='submit' /> </form>

And including middleware?

  'django.middleware.csrf.CsrfViewMiddleware',

From your editing, by assumption, this may have something to do with the VirtualHost configuration in Apache (if your provider uses apache). Here is an edited version of one of my apache configurations.

 <VirtualHost *:80> ServerName www.domain.com WSGIProcessGroup my-django-site WSGIScriptAlias / /path-to-my-django-site/wsgi/production.wsgi Alias /media /path-to-my-django-site/media </VirtualHost>

Perhaps the server name in apache should match the domain name that you click on the field, along with the * _COOKIE_DOMAIN settings in your Django configuration. I'm not sure you can change that. It might be worth talking to your provider if no other answers win.

+2
source

Are you updating your template data with csrf information?

 from django.core.context_processors import csrf def index(request) data = {"listitems": items} data.updates(csrf(request)) return render_to_response('template.html', data)
0
source

Source: https://habr.com/ru/post/888595/

More articles:


All Articles