Opened 3 months ago

Closed 3 months ago

#35805 closed Bug (invalid)

CSRF errors when using custom domains but not when using azure default domain

Reported by: Dan Martinez Owned by:
Component: CSRF Version: 5.0
Severity: Normal Keywords: CSRF custom-domain CORS azure
Cc: Dan Martinez Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

Deployed as web app in Azure and added my custom purchased (namecheap.com) domain name, lets call it 'i-heart-java.com'. I added the custom domain URL into the ALLOWED_HOSTS and CSRF_TRUSTED_ORIGINS lists, both as https and http, including with extra 'www.' entries. App pulls up successfully on those URL's and my page works for the most part, except when logging into any part of the app VIA MY CUSTOM DOMAIN, otherwise login works fine with the azure default domain. Error shows:

2024-09-24T14:24:35.1649753Z Forbidden (Origin checking failed - https://www.mydomain.com does not match any trusted origins.): /admin/login/

Followed the documentation and have searched this issue to find I am (so far) the only one encountering it. My Settings file details are below and I have tried to mix and match these related Booleans with no luck:

ALLOWED_HOSTS = [
    'https://127.0.0.1:8000',
    '127.0.0.1',
    'https://mydomain-XXX.eastus-0X.azurewebsites.net/,  # <- Azure default domain (logins work with no csrf errors here)
    "http://mydomain.com",
    'https://mydomain.com',
    "http://www.mydomain.com",
    'https://www.mydomain.com,
    ..others..,
]

SESSION_COOKIE_SECURE = True
SECURE_SSL_REDIRECT = False
CORS_ALLOW_ALL_ORIGINS = True
CSRF_COOKIE_SECURE	= True
CSRF_COOKIE_HTTPONLY	= True
CSRF_USE_SESSIONS	= True
SESSION_COOKIE_DOMAIN = '.charotte100.com'
SESSION_COOKIE_SECURE = True

CSRF_TRUSTED_ORIGINS=[
    "https://mydomain.com",
    "http://mydomain.com",
    "https://www.mydomain.com",
    "http://www.mydomain.com",
    ..others..,
]

I am not using any reverse proxy like Nginx and have the bog standard CSRF middle ware installed and am running via the standard gunicorn app command. Can anyone shed any light on whether this is a possible Django issue or if my configuration is correct or if this is possibly a custom domain DNS issue?

Change History (1)

comment:1 by Tim Graham, 3 months ago

Resolution: invalid
Status: newclosed

See TicketClosingReasons/UseSupportChannels for ways to get help.

Note: See TracTickets for help on using tickets.
Back to Top