I have a web app on Django with simple authentication as follows:
# in a request handler
username = request.POST['username']
password = request.POST['password']
user = authenticate(request, username=username, password=password)
if user is not None:
login(request, user)
return redirect('/')
The app works fine running on localhost and on real servers through HTTPS at my-app.com
(no a real domain of course). Now I'm trying to make it running on Kubernetes and Minikube. I've set up a Deployment, Service, NginX-Ingress, also I specified minikube ip
in my /etc/hosts
file as my-app.local
, and I can access it using Chrome browser, but the authentication doesn't work! Browser saves no cookies, and I always get redirected to the log in page.
And I cannot find any reason: I've checked server logs and browser network traces, they look fine, I also used curl
to compare authentication method results of real .com
version of the app and my minikube/.local
version, they are pretty same, I see correct Set-Cookie: ...
everywhere, but the cookies don't get saved in the browser. What can be the cause of this problem??
I've changed my local domain to test.my-app.com
, but got no improvements :(
I turned off the Ingress, so it's not related to the problem.
In addition, I have added middleware to my Django app to log cookies of each request, and I also made a script to check what's happening:
with requests.Session() as session:
response = session.post(url, data={
'username': 'some-login',
'password': 'some-password',
})
response = session.get(url)
print(response.content.decode('utf-8'))
print(session.cookies)
When the url is set to the real app or Django app on my localhost, I get cookies csrftoken
and sessionid
, and the response is showing the user's personal page. I also see the cookies in the server logs
When the url is set to the Docker/K8s/Minikube service, I get the same cookies in the script, BUT the response shows log in page again. Also, the server logs show no cookies... Looks like something related to Django cookies processing.
I checked all the settings of Django app and found out that the SESSION_COOKIE_SECURE
option was the cause of the problem, as the doc says:
If this is set to True, the cookie will be marked as “secure”, which means browsers may ensure that the cookie is only sent under an HTTPS connection.
The app is configured to use this and some other settings for security reasons when running in prod mode, and my K8s configuration was not configured to run in debug mode.