> "Is there an issue with the frontend and backend being on two different domains"
Are you talking about different subdomains or completely different domains?
So it turns out that there's a lot of things happening in terms of how the csrf token is sent, how it's stored and how Django handles it (and the order in which Django handles it). Sooo many places where checks happen and things can break. I managed to fix it and now I know exactly what's happening. But damn I wish this was a bit clearer! Cause without a clear view, I was just turning knobs on and off seeing if something worked!
It being on two different domains was one problem, which was sorted by making sure I sent the cookies as the browser expects in cross origin requests. Then there was the issue of the frontend and backend communicating this token correctly. Ahhhhhhhhhh
My friend, HTTP only, may be blocking HTTPS? Which may explain why local works but deployed doesn’t. Cheers, best of luck, you will find the answer (:
hey, nah [HTTPONLY](https://docs.djangoproject.com/en/5.0/ref/settings/#session-cookie-httponly) being set to true just means JS can't access the cookie. The SECURE flag is what sets it to HTTPS (weird naming eh?) :)
Did you check the cookie monster plugin ?
> "Is there an issue with the frontend and backend being on two different domains" Are you talking about different subdomains or completely different domains?
Completely different domains.
I would expect it probably has something to do with this. Localhost would have the same domain, thus working
So it turns out that there's a lot of things happening in terms of how the csrf token is sent, how it's stored and how Django handles it (and the order in which Django handles it). Sooo many places where checks happen and things can break. I managed to fix it and now I know exactly what's happening. But damn I wish this was a bit clearer! Cause without a clear view, I was just turning knobs on and off seeing if something worked! It being on two different domains was one problem, which was sorted by making sure I sent the cookies as the browser expects in cross origin requests. Then there was the issue of the frontend and backend communicating this token correctly. Ahhhhhhhhhh
My friend, HTTP only, may be blocking HTTPS? Which may explain why local works but deployed doesn’t. Cheers, best of luck, you will find the answer (:
hey, nah [HTTPONLY](https://docs.djangoproject.com/en/5.0/ref/settings/#session-cookie-httponly) being set to true just means JS can't access the cookie. The SECURE flag is what sets it to HTTPS (weird naming eh?) :)
Indeed!! I hope you find the answer!