final logout related fixes and cookies and session

2025-12-16 19:16:50 +00:00
parent 1887f2a665
commit 84fd4bc11a
5 changed files with 175 additions and 13 deletions
--- a/backend/igny8_core/settings.py
+++ b/backend/igny8_core/settings.py
@@ -92,15 +92,17 @@ CSRF_TRUSTED_ORIGINS = [
 USE_SECURE_COOKIES = os.getenv('USE_SECURE_COOKIES', 'False').lower() == 'true'
 SESSION_COOKIE_SECURE = USE_SECURE_COOKIES
 CSRF_COOKIE_SECURE = USE_SECURE_COOKIES
+CSRF_COOKIE_SAMESITE = 'Lax'  # Match session cookie setting
+CSRF_COOKIE_DOMAIN = '.igny8.com'  # Share CSRF cookie across subdomains

 # CRITICAL: Session isolation to prevent contamination
 SESSION_COOKIE_NAME = 'igny8_sessionid'  # Custom name to avoid conflicts
 SESSION_COOKIE_HTTPONLY = True  # Prevent JavaScript access
-SESSION_COOKIE_SAMESITE = 'Strict'  # Prevent cross-site cookie sharing
+SESSION_COOKIE_SAMESITE = 'Lax'  # Changed from Strict to Lax - allows same-site top-level navigation
 SESSION_COOKIE_AGE = 3600  # 1 hour - extends on every request due to SESSION_SAVE_EVERY_REQUEST
 SESSION_SAVE_EVERY_REQUEST = True  # CRITICAL: Update session on every request to prevent idle timeout
 SESSION_COOKIE_PATH = '/'  # Explicit path
-# Don't set SESSION_COOKIE_DOMAIN - let it default to current domain for strict isolation
+SESSION_COOKIE_DOMAIN = '.igny8.com'  # CRITICAL: Share cookie across subdomains (app.igny8.com and api.igny8.com)

 # CRITICAL: Custom authentication backend to disable user caching
 AUTHENTICATION_BACKENDS = [