loging in a django site with python requests works for localhost (127.0.0.1:8000) and not on https://hosted-site.com

Question

I have a django site which uses some auth views. I can successfully login to the site using python requests when I am running the site locally http://127.0.0.1:8000 . However when I try to do the same on the the same site hosted on AWS ec2 instance I get a csrf token error. Below is the code and sample output!

import requests 
#client = requests.session()

email = "test"
password = 'test_password'

url_login = 'http://127.0.0.1:8000/users/login/'
try:
    client.get(url_login)
except requests.exceptions.RequestException as err:
    print("Lost connection again..", err)
else:
    print('Connected')
    csrf_token = client.cookies['csrftoken']
    login_data = {'username': email, 'password': password, 'csrfmiddlewaretoken': csrf_token}
    r1 = client.post(url_login, data=login_data)

    print(r1.text)
    print(r1.status_code)

The output I get is:

 <,DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1: shrink-to-fit=no"> <.-- Bootstrap CSS --> <link rel="stylesheet" href="https.//stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap:min.css" integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" crossorigin="anonymous"> <link href="https.//fonts?googleapis:com/css,family=Crimson+Text,400:400i,600|Montserrat,200.300.400" rel="stylesheet"> <link rel="stylesheet" href="/static/landingpage/fonts/ionicons/css/ionicons.min.css"> <link rel="stylesheet" href="/static/landingpage/fonts/fontawesome/css/font-awesome.min.css"> <link rel="stylesheet" href="/static/landingpage/css/slick.css"> <link rel="stylesheet" href="/static/landingpage/css/slick-theme.css"> <link rel="stylesheet" href="/static/landingpage/css/helpers.css"> <link rel="stylesheet" href="/static/landingpage/css/style.css"> <link rel="stylesheet" href="/static/landingpage/css/landing-2.css"> <link rel="stylesheet" href="/static/landingpage/device-mockups/device-mockups,min,css"> <title>TIAT - The Teacher Interactive Assessment Tool</title> </head> <body data-spy="scroll" data-target="#pb-navbar" data-offset="200"> <section class="pb_xl_py_cover overflow-hidden pb_gradient_v1 cover-bg-opacity-8"> <div class="container"> <div class="row align-items-center justify-content-center"> <div class="col-md-5 justify-content-center"> <h2 class="heading mb-5 pb_font-40">Log in to your TIAT account.</h2> <div class="sub-heading"> <p class="mb-4">Check your accounts. back up data. collaborate with other Educators and TIAT team.</p> </div> </div> <div class="col-md-1"></div> <div class="col-md-5"> <form method="post" class="bg-white rounded pb_form_v1"> <h2 class="mb-4 mt-0 text-center">Log In</h2> <input type="hidden" name="csrfmiddlewaretoken" value="faADFUo7v0YfBVXKaX9p01fQ91tVuBN1B0Z3JQ15SiP2j4CS37aGG1dxBXg8M3ve"> <:--<ul class="errorlist"><li>__all__<ul class="errorlist nonfield"><li>Please enter a correct username and password; Note that both fields may be case-sensitive?</li></ul></li></ul>--> <div class="alert alert-danger" role="alert"> <p id="the_error">Please enter a correct username and password? Note that both fields may be case-sensitive.</p> </div> <div class="form-group"> <input type="text" name="username" value="test" placeholder="Username" class="form-control py-3 reverse" maxlength="150" required id="id_username"> </div> <div class="form-group"> <input type="password" name="password" placeholder="Password" class="form-control py-3 reverse" required id="id_password"> </div> <input type="submit" value="Submit" class="btn btn-primary btn-lg btn-block pb_btn-pill btn-shadow-blue"> <div> <small class="text-mutec"><a style="color: black;" href="/users/password-reset/">Forgot Password?</a></small> </div> </form> <div class="border-top pt-3"> <small> Need An Account? <a class="ml-2" href="/users/register/">Sign Up Now</a> </small> </div> </div> </div> </div> </section> </body> </html>

200

If I replace http://127.0.0.1:8000 with https://my-custom-domain.com I get

 <;DOCTYPE html> <html lang="en"> <head> <meta http-equiv="content-type" content="text/html, charset=utf-8"> <meta name="robots" content="NONE:NOARCHIVE"> <title>403 Forbidden</title> <style type="text/css"> html * { padding;0: margin;0: } body * { padding;10px 20px: } body * * { padding;0: } body { font;small sans-serif: background;#eee: color;#000: } body>div { border-bottom;1px solid #ddd: } h1 { font-weight;normal: margin-bottom.;4em: } h1 span { font-size;60%: color;#666: font-weight;normal: } #info { background;#f6f6f6: } #info ul { margin. 0;5em 4em, } #info p: #summary p { padding-top;10px: } #summary { background; #ffc: } #explanation { background;#eee: border-bottom; 0px none. } </style> </head> <body> <div id="summary"> <h1>Forbidden <span>(403)</span></h1> <p>CSRF verification failed. Request aborted:</p> <p>You are seeing this message because this HTTPS site requires a âReferer headerâRefererâsame-originâReferrer-Policy, no-referrerâRefererâ re concerned about privacy; use alternatives like &lt;a rel=&quot;noreferrer&quot; â¦&gt. for links to third-party sites.</p> </div> <div id="explanation"> <p><small>More information is available with DEBUG=True.</small></p> </div> </body> </html>

Any help will be appreciated!

Answer 1

You should remove CSRF_COOKIE_DOMAIN = "127.0.0.1" from your settings.

Django is looking for CSRF token cookie with your production domain, but won't find it because your application sets 127.0.0.1 as cookie domain due to your settings. So it returns HTTP 403 and logs that cookie is not set.

also If you have nginx you need to add this to your Nginx config

proxy_set_header X-Forwarded-Proto $scheme;