SESSION_COOKIE_SECURE=True in Django 2.2 redirects Admin login to itself

Question

I have a simple django 2.2 project that I trying to publish. I am trying to secure the website as best I can. One of the options is SESSION_COOKIE_SECURE. When set to True, my admin pages just won't work. When I go to /admin page, I will see a login. Inputting the correct login and password just brings me back to the exact same page. If I input the wrong login and password, then an error message pops up. So I know I have used the right password. There's nothing special about my admin setup. It's just in the urls.py of the project folder

urlpatterns = [
    path('admin/', admin.site.urls), ...

Of course if I set SESSION_COOKIE_SECURE to False, the admin pages works. I have tried setting the SESSION_COOKIE_DOMAIN to my domain and that doesn't help. What am I missing? Thanks.

EDIT: I have just tried the following set of options based on the Django docs but I am not getting it working.

SECURE_SSL_REDIRECT = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True

ANOTHER EDIT: So the above works in Production (which has HTTPS) but not in Development. This is good but also troubling to some degree. We want our production and development environment to be as close as possible so that features and stuff can be tested. I wonder what the best practice is when it comes to testing these troublesome little Django settings.

For certain things you can't avoid different settings on development and on production. The practice is that you have a "staging" or "test" environment that you can deploy to that does have certificates and SSL installed and where everything is as close to production as possible. `runserver` isn't the same as your production environment anyway. And in one instance you have `DEBUG = True`, on production not. — dirkgroten, Jun 03 '19 at 15:04
Possible duplicate of [How can I test https connections with Django as easily as I can non-https connections using 'runserver'?](https://stackoverflow.com/questions/8023126/how-can-i-test-https-connections-with-django-as-easily-as-i-can-non-https-connec) — dirkgroten, Jun 03 '19 at 15:07
Got this exact scenario, I only wanted to make the admin work on HTTP only. Is there any way do make it work properly? I already set the above settings to `False` still the result is the same. — Shift 'n Tab, Sep 12 '20 at 18:45

score 4 · Accepted Answer · answered Jun 03 '19 at 14:51

4

Actually, the following works.

SECURE_SSL_REDIRECT = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True

It is just that testing in on my development environment, HTTPS is not available.

answered Jun 03 '19 at 14:51

Alpha8

159
1
13

score 0 · Answer 2 · answered Feb 12 '22 at 15:53

0

It seems the SESSION_COOKIE_SECURE option works correctly only under the HTTPS connection.

But, I have no idea why does it work under HTTP in my local environment with default Django's manage.py runserver but not Nginx / gunicorn in production...

answered Feb 12 '22 at 15:53

Aleksei Trankov

11
1

SESSION_COOKIE_SECURE=True in Django 2.2 redirects Admin login to itself

2 Answers2