Django Csrf Cookie Not Set

Django CSRF Cookie Not Set

This can also occur if CSRF_COOKIE_SECURE = True is set and you are accessing the site non-securely or if CSRF_COOKIE_HTTPONLY = True is set as stated here and here

Django and React: csrf cookie is not being set in request header

I suggest to you that try to work with your both servers using HTTPS. Some help:
Django

  • How can I test https connections with Django as easily as I can non-https connections using 'runserver'?
  • https://timonweb.com/django/https-django-development-server-ssl-certificate/

To ReactJS simply use the same certificates generated to use in Django to tun the server with next command:

HTTPS=true SSL_CRT_FILE=path/server.crt SSL_KEY_FILE=path/server.key npm start

This with the goal of change your settings:

CSRF_COOKIE_PATH = '/'
CSRF_COOKIE_SAMESITE = 'Strict'  
CSRF_COOKIE_SECURE = True
CSRF_TRUSTED_ORIGINS = [ "https://127.0.0.1:3000", ...]

But is not totally necessary.

Now, your view GetCSRFToken is incorrect because return a message.
This an example that I have implemented. The key is the decorator ensure_csrf_cookie

Views.py:

from django.utils.decorators import method_decorator
from django.views.decorators.csrf import ensure_csrf_cookie

class CsrfTokenView(APIView):
"""Send to the login interface the token CSRF as a cookie."""

    @method_decorator(ensure_csrf_cookie)
    def get(self, request, *args, **kwargs) -> Response:
        """Return a empty response with the token CSRF.

        Returns
        -------
        Response
            The response with the token CSRF as a cookie.
        """
        return Response(status=status.HTTP_204_NO_CONTENT)

In ReactJS just code a useEffect with empty dependencies to do the request just after mount the component.

useEffect(() => {
    axios.get('/url/csrf-token/', {
            headers: { 'Authorization': null },
            withCredentials: true,
        }
    ).catch( () => {
        alert('Error message.');
    });
}, []);

At this point, you will be able to watch the cookie in 'developer tools'.
Finally, in your LoginView add the csrf_protect decorator to your post method to make sure the endpoint needs the CSRF_TOKEN.

Views.py:

from django.utils.decorators import method_decorator
from django.views.decorators.csrf import csrf_protect, ensure_csrf_cookie
...

class LoginView(views.APIView):
    ...
    @method_decorator(csrf_protect)
    def post(self,request):
        # code

Don't forget map the url of the csrf view and put the correct in the request (useEffect).

Also in your request of login, add withCredentials: true. This way the request sent the cookies (CSRF). Django is going to compare the header X-CSRFToken with the value of the cookie received and if match, it is going to execute the method body.

I think that's it.
Let me know if it works.


Related Topics

Numpy Random Choice to Produce a 2D-Array with All Unique Values

Changing an Element in One List Changes Multiple Lists

Reloading Module Giving Nameerror: Name 'Reload' Is Not Defined

Execute a File with Arguments in Python Shell

Multiple Pipes in Subprocess

Efficiently Return the Index of the First Value Satisfying Condition in Array

Execute Terminal Command from Python in New Terminal Window

Pandas: Get Dummies

Remove Quotes from String in Python

How to Change Index of a for Loop

Pandas Make New Column from String Slice of Another Column

Beginner Python: Reading and Writing to the Same File

Transpose Nested List in Python

Python: Can Executable Zip Files Include Data Files

Importerror: No Module Named _Ssl

Python: Source Code String Cannot Contain Null Bytes

Print Series of Prime Numbers in Python

Correct Code to Remove the Vowels from a String in Python


Leave a reply



Submit