Skip to content

Instantly share code, notes, and snippets.

@axilaris

axilaris/settings.py configuration SessionAuthentication For HTTP (not HTTPS)

Created March 9, 2024 01:27
Show Gist options
  • Save axilaris/f0f41dc843c05d0f4cfd40cfefb3478e to your computer and use it in GitHub Desktop.
Save axilaris/f0f41dc843c05d0f4cfd40cfefb3478e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
nginx-1 | 192.168.65.1 - - [09/Mar/2024:01:23:47 +0000] "GET / HTTP/1.1" 200 644 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "-"
nginx-1 | 192.168.65.1 - - [09/Mar/2024:01:23:47 +0000] "GET /static/css/main.9d7cbdf2.css HTTP/1.1" 200 235974 "http://localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "-"
nginx-1 | 192.168.65.1 - - [09/Mar/2024:01:23:47 +0000] "GET /static/js/main.c0645258.js HTTP/1.1" 200 212732 "http://localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "-"
nginx-1 | 192.168.65.1 - - [09/Mar/2024:01:23:47 +0000] "GET /static/js/main.c0645258.js HTTP/1.1" 200 212732 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "-"
backend_container | Forbidden: /api/user
backend_container | WARNING:django.request:Forbidden: /api/user
nginx-1 | 192.168.65.1 - - [09/Mar/2024:01:23:47 +0000] "GET /manifest.json HTTP/1.1" 200 492 "http://localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "-"
nginx-1 | 192.168.65.1 - - [09/Mar/2024:01:23:47 +0000] "GET /favicon.ico HTTP/1.1" 200 0 "http://localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "-"
nginx-1 | 192.168.65.1 - - [09/Mar/2024:01:23:47 +0000] "GET /logo192.png HTTP/1.1" 200 644 "http://localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "-"
nginx-1 | 192.168.65.1 - - [09/Mar/2024:01:24:02 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "-"
nginx-1 | 192.168.65.1 - - [09/Mar/2024:01:24:03 +0000] "GET /static/js/main.c0645258.js HTTP/1.1" 304 0 "http://localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "-"
nginx-1 | 192.168.65.1 - - [09/Mar/2024:01:24:03 +0000] "GET /static/css/main.9d7cbdf2.css HTTP/1.1" 304 0 "http://localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "-"
nginx-1 | 192.168.65.1 - - [09/Mar/2024:01:24:03 +0000] "GET /static/js/main.c0645258.js HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "-"
backend_container | Forbidden: /api/user
backend_container | WARNING:django.request:Forbidden: /api/user
nginx-1 | 192.168.65.1 - - [09/Mar/2024:01:24:03 +0000] "GET /favicon.ico HTTP/1.1" 304 0 "http://localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "-"
nginx-1 | 192.168.65.1 - - [09/Mar/2024:01:24:03 +0000] "GET /manifest.json HTTP/1.1" 304 0 "http://localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "-"
nginx-1 | 192.168.65.1 - - [09/Mar/2024:01:24:03 +0000] "GET /logo192.png HTTP/1.1" 304 0 "http://localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "-"
Raw
settings.py configuration SessionAuthentication For HTTP (not HTTPS)
SESSION_COOKIE_HTTPONLY = True # Default value is True, which is recommended
SESSION_COOKIE_SAMESITE = 'Lax' # Consider 'None' if strictly necessary and secure is set
SESSION_COOKIE_SECURE = False # Set to True if you are using HTTPS
CSRF_COOKIE_HTTPONLY = False # Should generally be False to allow JavaScript to read the value
CSRF_COOKIE_SECURE = False # Set to True if you are using HTTPS
@axilaris
Copy link
Author

axilaris commented Mar 9, 2024

http://127.0.0.1:8000/api/login <-- Chrome Network logs

Request URL:
http://127.0.0.1:8000/api/login
Request Method:
POST
Status Code:
200 OK
Remote Address:
127.0.0.1:8000
Referrer Policy:
strict-origin-when-cross-origin
Access-Control-Allow-Credentials:
true
Access-Control-Allow-Origin:
http://localhost
Allow:
POST, OPTIONS
Connection:
close
Content-Length:
52
Content-Type:
application/json
Cross-Origin-Opener-Policy:
same-origin
Date:
Sat, 09 Mar 2024 07:02:30 GMT
Referrer-Policy:
same-origin
Server:
gunicorn
Set-Cookie:
csrftoken=pohN1hpHDOVVr6feTYby7Luzwl7NFf47; expires=Sat, 08 Mar 2025 07:02:30 GMT; Max-Age=31449600; Path=/; SameSite=Lax
Set-Cookie:
sessionid=nf23gfim69a8ynjo59u16lg9og7e9j3h; expires=Sat, 23 Mar 2024 07:02:30 GMT; HttpOnly; Max-Age=1209600; Path=/
Vary:
Accept, Cookie, Origin
X-Content-Type-Options:
nosniff
X-Frame-Options:
DENY
Accept:
application/json, text/plain, /
Accept-Encoding:
gzip, deflate, br
Accept-Language:
en-US,en;q=0.9
Connection:
keep-alive
Content-Length:
52
Content-Type:
application/json
Host:
127.0.0.1:8000
Origin:
http://localhost
Referer:
http://localhost/
Sec-Ch-Ua:
"Not A(Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"
Sec-Ch-Ua-Mobile:
?0
Sec-Ch-Ua-Platform:
"macOS"
Sec-Fetch-Dest:
empty
Sec-Fetch-Mode:
cors
Sec-Fetch-Site:
cross-site
User-Agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36

@axilaris
Copy link
Author

axilaris commented Mar 9, 2024

Request URL:
http://127.0.0.1:8000/api/user <-- Chrome Network logs
Request Method:
GET
Status Code:
403 Forbidden
Remote Address:
127.0.0.1:8000
Referrer Policy:
strict-origin-when-cross-origin
Access-Control-Allow-Credentials:
true
Access-Control-Allow-Origin:
http://localhost
Allow:
GET, HEAD, OPTIONS
Connection:
close
Content-Length:
58
Content-Type:
application/json
Cross-Origin-Opener-Policy:
same-origin
Date:
Sat, 09 Mar 2024 07:12:45 GMT
Referrer-Policy:
same-origin
Server:
gunicorn
Vary:
Accept, Cookie, Origin
X-Content-Type-Options:
nosniff
X-Frame-Options:
DENY
Accept:
application/json, text/plain, /
Accept-Encoding:
gzip, deflate, br
Accept-Language:
en-US,en;q=0.9
Connection:
keep-alive
Host:
127.0.0.1:8000
Origin:
http://localhost
Referer:
http://localhost/
Sec-Ch-Ua:
"Not A(Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"
Sec-Ch-Ua-Mobile:
?0
Sec-Ch-Ua-Platform:
"macOS"
Sec-Fetch-Dest:
empty
Sec-Fetch-Mode:
cors
Sec-Fetch-Site:
cross-site
User-Agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
X-Csrftoken:
1qJvVnbBRdkPgGBYd8KLK7wDg7KOE2QU

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment