Currently trying to fix this issue, I have browsed many posts but still cannot solve this problem hence this message to the community :)
I am creating a dev/test environment for a Flask based website and I have to duplicate the current website into a subdomain, such as from mydomain.com to dev.mydomain.com and so on for the additional related services such as elastic search (e.g. from es.mydomain.com to es-dev.mydomain.com).
So here I am, I deployed everything through Nginx, the main website dev.mydomain.com and all services run and are accessible. BUT I cannot log in to Flask which throws me an error 400 missing CSRF session token when there is actually 2 session tokens ... it seems that 1 duplicate is created in the form submission process as the cookie holds 2 session keys.
Before form submission
- Original cookie keys:
_ga=...;_gid=...;session=... - Dev cookie keys:
session=...;Domain=.dev.mydomain.com;Secure;HttpOnly;Path=/
After form submission
- Original website cookie keys:
_ga=...;_gid=...;session=... - Dev wbesite cookie keys:
_ga=...;_gid=...;session=...;session=...
CSRF is enabled for the whole app via csrf.init_app(app) and my Flask config is:
SECRET_KEY = os.getenv("SECRET_KEY")
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
REMEMBER_COOKIE_SECURE = True
REMEMBER_COOKIE_HTTPONLY = True
I'm trying different config flavors but no improvement so far ...
Some help would be appreciated as always, thank you in advance :)
