I have a simple django 2.2 project that I trying to publish. I am trying to secure the website as best I can. One of the options is SESSION_COOKIE_SECURE. When set to True, my admin pages just won't work. When I go to /admin page, I will see a login. Inputting the correct login and password just brings me back to the exact same page. If I input the wrong login and password, then an error message pops up. So I know I have used the right password. There's nothing special about my admin setup. It's just in the urls.py of the project folder
urlpatterns = [
path('admin/', admin.site.urls), ...
Of course if I set SESSION_COOKIE_SECURE to False, the admin pages works. I have tried setting the SESSION_COOKIE_DOMAIN to my domain and that doesn't help. What am I missing? Thanks.
EDIT: I have just tried the following set of options based on the Django docs but I am not getting it working.
SECURE_SSL_REDIRECT = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
ANOTHER EDIT: So the above works in Production (which has HTTPS) but not in Development. This is good but also troubling to some degree. We want our production and development environment to be as close as possible so that features and stuff can be tested. I wonder what the best practice is when it comes to testing these troublesome little Django settings.
Actually, the following works.
SECURE_SSL_REDIRECT = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
It is just that testing in on my development environment, HTTPS is not available.