Django server does not accept cookies

Question

When I try to send a POST request to the DJANGO app hosted on the server, with included credentials in the Axios request or with a Postman app, I cannot access cookies in the app, because cookies are never sent.

Axios config looks like this:

export function genericApiHost(host: string) {
  const headers = {
    "Content-Type": "application/json",
    Accept: "application/json",
    // "Access-Control-Allow-Origin": true,
  };
  return axios.create({
    baseURL: `${host}`,
    headers: headers,
    withCredentials: true,
  });
}

If I include the allow origin header I get a CORS error, otherwise, cookies are not sent.

This is part of the Django app settings:

CORS_ALLOW_ALL_ORIGINS = True
CORS_ALLOW_CREDENTIALS = True
CSRF_COOKIE_SECURE = False
CSRF_COOKIE_HTTPONLY = False
CSRF_TRUSTED_ORIGINS = ['*']
ALLOWED_HOSTS = ["*"]

With the settings I listed here, the application works correctly locally, but when the code is uploaded to the nginx server, it doesn't work

Answer 1

Based on the information you provided, it seems that you are having trouble accessing cookies in your Django app when sending a POST request with credentials. You mentioned that cookies are never sent, and you cannot access them. You also mentioned that if you include the allow origin header, you get a CORS error, and if you don't include it, cookies are not sent.

You have set CORS_ALLOW_ALL_ORIGINS and CORS_ALLOW_CREDENTIALS to True, and CSRF_COOKIE_SECURE, CSRF_COOKIE_HTTPONLY, CSRF_TRUSTED_ORIGINS, and ALLOWED_HOSTS to False, False, ['*'], and ["*"], respectively. These settings work correctly locally, but when you upload the code to the nginx server, it doesn't work.

Based on your description, it seems that you are facing a CORS issue. The error message you mentioned indicates that the browser is blocking the cookie because of the SameSite attribute. This attribute is set to Lax by default, which prevents the cookie from being sent in a cross-site request. To resolve this issue, you need to update the attributes of the cookie. Here is an example of how to set the cookie in Django:

response.set_cookie(
    key='csrftoken',
    value=request.META['CSRF_COOKIE'],
    expires=settings.SIMPLE_JWT['REFRESH_TOKEN_LIFETIME'],
    path=settings.SIMPLE_JWT['AUTH_COOKIE_PATH'],
    secure=settings.SIMPLE_JWT['AUTH_COOKIE_SECURE'],
    httponly=False,
    samesite='Lax'
)

You can also try setting CSRF_COOKIE_SECURE and CSRF_COOKIE_HTTPONLY to True in your Django app settings. Additionally, you may want to check if your server has the Access-Control-Allow-Origin header set. If not, you can add it to your server configuration to allow cross-origin requests.