CODEWITHSUNDEEP
djangocookiescross-domain
Jvn
Jvn

Reputation: 495

Django: set-cookie causes cookies to be stored in the backend instead of the frontend

For some reason, the cookie is stored on the backend domain.

This does not allow the front-end to access the stored cookies.

I have implemented an authentication API using the following, but as far as I can tell, there is no setting to change the domain where cookies are stored.

CORS_ALLOWED_ORIGINS = ['https://example.com']
CORS_ALLOW_CREDENTIALS = True

How can I store cookies on the front-end domain?

Upvotes: 3

Views: 2707

Answers (2)

Shahriar Dhruvo
Shahriar Dhruvo

Reputation: 371

@Amir Heshmati, SESSION_COOKIE_DOMAIN = "example.com" will only set my sessionid there. How would I set the JWT httpOnly cookie to the frontend domain? For dj_rest_auth I have configured it like this as the github suggested:

REST_AUTH = {
    "USE_JWT": True,
    "JWT_AUTH_COOKIE": "jwt-auth",
    "JWT_AUTH_REFRESH_COOKIE": "jwt-auth-refresh",
    "JWT_AUTH_SECURE": False,
    "JWT_AUTH_HTTPONLY": True,
    "JWT_AUTH_SAMESITE": "Lax",
}

But here there is no path settings! In the doc they have a setting called JWT_REFRESH_COOKIE_PATH but not for the JWT_AUTH_COOKIE_PATH!!! So, @Jvn how did the Answer solved your query?

People who are wondering of why this is happening you guys can refer back to this github issue.

Upvotes: 0

Amir Heshmati
Amir Heshmati

Reputation: 648

I thinks you are looking for SESSION_COOKIE_DOMAIN

The domain to use for session cookies. Set this to a string such as "example.com" for cross-domain cookies, or use None for a standard domain cookie.

To use cross-domain cookies with CSRF_USE_SESSIONS, you must include a leading dot (e.g. ".example.com") to accommodate the CSRF middleware’s referer checking.

Be cautious when updating this setting on a production site. If you update this setting to enable cross-domain cookies on a site that previously used standard domain cookies, existing user cookies will be set to the old domain. This may result in them being unable to log in as long as these cookies persist.

also response.set_cookie has a domain argument as well

Upvotes: 0

Related Questions