CODEWITHSUNDEEP
djangoapachecookiesdjango-admindjango-csrf
Kevin Zen
Kevin Zen

Reputation: 111

Apache Django CSRF 403 cookie not set

I am trying to switch over my project from the default django server to Apache and have gotten my website up through a domain name, however I'm getting a csrf 403 message for trying to login to the django authentication system and as an admin through "mysite.com/admin". These were all working on local host before I configured my apache server.

I'm having trouble figuring out what steps to take to debug this as all the suggestions give responses such as setting "CSRF_COOKIE_HTTPONLY" to true and rendering RequestContext etc , all which I've already done to get the CSRF auth working on my localhost.

I've been stuck on this for days and any help would be deeply appreciated.

Settings.py

MIDDLEWARE_CLASSES = (
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django.middleware.security.SecurityMiddleware',)
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
CSRF_COOKIE_HTTPONLY = True

AUTH_PROFILE_MODULE = "mysite.UserProfile"

Sample views.py

def login(request):
c = {}
c.update(csrf(request))
username = request.POST.get('username','')
return render(request,'login.html',c)

Apache config file (000-default.conf)

<VirtualHost *:80>
    ServerName mysite.com
    Alias /static /var/www/mysite/static/static_root/
    <Directory /var/www/mysite/static/static_root>
        Require all granted
    </Directory>

    <Directory /var/www/mysite/mysite>
        <Files wsgi.py>
        Require all granted
        </Files>
    </Directory>

    ServerAdmin [email protected]
    Servername mysite.com

    WSGIScriptAlias / /var/www/mysite/mysite/wsgi.py
    WSGIDaemonProcess mysite.com python-path=/var/www:/usr/local/lib/python2.7/site-packages
    WSGIProcessGroup mysite.com

All my form actions on my templates have {% csrf_token %} All my files (besides the config file) are in /var/www and i've given it 755 access.

Upvotes: 1

Views: 1406

Answers (1)

Thomas Orozco
Thomas Orozco

Reputation: 55207

You set CSRF_COOKIE_SECURE to True, which means your CSRF cookie will be HTTPS-only (i.e. your browser will only send the cookie over a HTTPS connection).

However, your site is served over HTTP (as evidenced by the fact that there are no SSL directives in your Apache configuration).

Either serve your site over HTTPS, or leave CSRF_COOKIE_SECURE to its default value (which is False).

Upvotes: 2

Related Questions