How to send post requests to the subdomain?

There is a project with two subdomains: forum.site.com and games.site.com when sending ajax post request from one subdomain to another server, it rejects as sessionid and csrf token from cookies will not be sent. Within one domain the code is working properly.

On the subdomains is a useful utility for me, I would like to use them without duplicating urls, if this is not possible, then tell me the correct architecture

settings.py
SESSION_COOKIE_DOMAIN = 'site.com'
CSRF_COOKIE_DOMAIN = 'site.com'
CSRF_COOKIE_NAME = 'csrftoken'
CSRF_TRUSTED_ORIGINS = ['games.site.com', 'forum.site.com']

MIDDLEWARE = [
'corsheaders.middleware.CorsMiddleware',
'corsheaders.middleware.CorsPostCsrfMiddleware',
...,
...,
]
March 12th 20 at 08:09
1 answer
March 12th 20 at 08:11
Solution
you sure you tried Google?
dig towards Access-Control-Allow-Origin - this header must return a server to which there is an appeal via Ajax. The value of the header must be the source or * - permissible sources from which you can make a request
The title comes in the OPTIONS request, it is the answer. The next post request does not insert cookies - peyton79 commented on March 12th 20 at 08:14
@peyton79, so you bring it in question. I can throw the headers of the OPTIONS response?
And the names of the cookies that sit in the answer - rowan_Wiega commented on March 12th 20 at 08:17
The names of the cookies in the response OPTIONS? Tomorrow I will throw off! - peyton79 commented on March 12th 20 at 08:20
OPTIONS:
REQUEST
Accept: text/html,application/xhtml+xm...plication/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: ru-ru,ru;q=0.8,en-US;q=0.5,en;q=0.3
Access-Control-Request-Headers: x-csrftoken
Access-Control-Request-Method: POST
Connection: keep-alive
Host: forum.site.com
Origin: <a href="https://games.site.com">https://games.site.com</a>
User-Agent: Mozilla/5.0 (X11; Linux x86_64...) Gecko/20100101 Firefox/58.0


RESPONSE
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: accept, accept-encoding, authorization, content-type, dnt, origin, user-agent, x-csrftoken, x-requested-with
Access-Control-Allow-Methods: DELETE, GET, OPTIONS, PATCH, POST, PUT
Access-Control-Allow-Origin: <a href="https://games.site.com">https://games.site.com</a>
Access-Control-Max-Age: 86400
Connection: keep-alive
Content-Length: 0
Content-Type: text/html; charset=utf-8
Date: Thu, 11 Oct 2018 06:09:05 GMT
Keep-Alive: timeout=20
Server: nginx
Vary: Origin


Cookies don't come with it. It goes over a post request with the following headers:

POST
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip, deflate, br
Accept-Language: ru-ru,ru;q=0.8,en-US;q=0.5,en;q=0.3
Connection: keep-alive
Content-Length: 64
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Host: forum.site.com
Origin: <a href="https://games.site.com">https://games.site.com</a>
Referer: <a href="https://games.site.com/ru/">https://games.site.com/ru/</a>
User-Agent: Mozilla/5.0 (X11; Linux x86_64...) Gecko/20100101 Firefox/58.0
X-CSRFToken: oXa6EZOef3ZfUl5eVPLufryLlE4VIz...27Cy7mKjhgqsjpdXC7s5gZvLwcyOv


request goes without a cookie, returns a 403 with the Error "CSRF verification. Request denied.", the answer lies sessionid cookies - peyton79 commented on March 12th 20 at 08:23
actually csrf you had to get before sending a post request

a possible solution - disable for this query сsrf validation

from django.views.decorators.csrf import csrf_exempt

@csrf_exempt
def my_view(request):
 return HttpResponse('Hello world')

you fit it? - rowan_Wiega commented on March 12th 20 at 08:26
@rowan_Wiega, No, because it's making user data in a database, or authorization.

Cookies are stored in the token and sessionid, but the browser does not send them. - peyton79 commented on March 12th 20 at 08:29
@peyton79, show domain, which is exposed in the cookies. - rowan_Wiega commented on March 12th 20 at 08:32
@rowan_Wiega, .site.com and csrftoken and sessionid - peyton79 commented on March 12th 20 at 08:35
@peyton79, provide code which you are making post request - rowan_Wiega commented on March 12th 20 at 08:38
@rowan_Wiega, not lakonichnye code, sorry
function() {
$.ajax({
 method: "POST",
 url: login_url,
 dataType: 'json',
 data: $form.serialize(),
 beforeSend: function(xhr, settings) {
 xhr.withCredentials = true;
 xhr.setRequestHeader("X-CSRFToken", csrftoken1);
},
 success: function(data) {
hideErrors();
$all_errors.addClass('hide');
location.reload()
},
});
}
- peyton79 commented on March 12th 20 at 08:41
@peyton79,
this should help:
function() {
$.ajax({
 method: "POST",
 url: login_url,
 xhrFields: { withCredentials: true },
 dataType: 'json',
 data: $form.serialize(),
 beforeSend: function(xhr, settings) {
 xhr.setRequestHeader("X-CSRFToken", csrftoken1);
},
 success: function(data) {
hideErrors();
$all_errors.addClass('hide');
location.reload()
},
});
}
- rowan_Wiega commented on March 12th 20 at 08:44
@rowan_WiegaReally thank you! - peyton79 commented on March 12th 20 at 08:47
@rowan_Wiega, Tell me more please, what could be wrong in this query?
function() {
 let file = $('#id')[0].files[0];
 let xhr = new XMLHttpRequest();
 xhr.xhrFields = {
 withCredentials: true
};

 let fd = new FormData();

 fd.append('csrfmiddlewaretoken', $('[name=csrfmiddlewaretoken]').val());
 fd.append('image', file);

 xhr.open('post', location.protocol + _img_upload_url, true);
 xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));

xhr.send(fd);
}


Returns code 403 and response body is empty
request headers:
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: ru-ru,ru;q=0.8,en-US;q=0.5,en;q=0.3
Connection: keep-alive
Content-Length: 835763
Content-Type: multipart/form-data; boundary=...--212700736647785187243382243
Host: games.site.com
Origin: <a href="http://forum.site.com">http://forum.site.com</a>
Referer: <a href="http://forum.site.com/member/profile/edit/">http://forum.site.com/member/profile/edit/</a>
User-Agent: Mozilla/5.0 (X11; Linux x86_64...) Gecko/20100101 Firefox/58.0
X-CSRFToken: k52Tj9nl1TtVNqM5YhSnTMiluPPKCz...X7DaIu2Y5ncZxpRqi9kOTf0mmowxz


response headers:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: <a href="http://forum.site.com">http://forum.site.com</a>
Connection: keep-alive
Content-Encoding: gzip
Content-Language: EN
Content-Type: text/html; charset=utf-8
Date: Thu, 11 Jun 2018 14:40:58 GMT
Keep-Alive: timeout=20
Server: nginx
Set-Cookie: sessionid=18r19j719iihmecjg0qf...Only; Max-Age=1209600; Path=/
Transfer-Encoding: chunked
Vary: Cookie, Origin
X-Frame-Options: SAMEORIGIN
- peyton79 commented on March 12th 20 at 08:50
@peyton79, I will answer in 2 hours - rowan_Wiega commented on March 12th 20 at 08:53
On the production server the answer is generally no, nginx loggedout following
2018/10/11 17:57:49
 [error] 8165#8165: *977 readv() failed (104: Connection reset by peer) while reading upstream,
 client: xx.xx.xx.xx
 server: games.site.com,
 request: "POST /EN/tis/upload HTTP/1.0",
 upstream: "uwsgi://127.0.0.1:9999",
 host: "games.site.com",
 referrer: "https://forum.site.com/member/profile/edit/"
- peyton79 commented on March 12th 20 at 08:56
@peyton79, https://developer.mozilla.org/ru/docs/Web/API/XMLH... - rowan_Wiega commented on March 12th 20 at 08:59
@peyton79, you have the logic of a programmer's intuition but some broken) - rowan_Wiega commented on March 12th 20 at 09:02
@rowan_Wiega, well, at least with the logic lucky)
I understand allowCredentials not needed because the cookie in response not expected/not interested in us? And as I understand still come 403 - peyton79 commented on March 12th 20 at 09:05
@peyton79cookies in the response is not expected because who you will be there to settitle, this process had to be made during the authorization.
But the 403 comes if the server will not see cookies which can identify the client.
So replace this game:
xhr.xhrFields = {
withCredentials: true
};
On xhr.withCredentials=true; and try - rowan_Wiega commented on March 12th 20 at 09:08
@rowan_Wiega, Yes, it works)) Thanks a lot! - peyton79 commented on March 12th 20 at 09:11

Find more questions by tags CORSDjango