Django not authenticating under mod_wsgi

Question

i'm pulling my hair out for a while with this. i'm deploying my django application from the test server to an apache with mod_wsgi machine. everything seems to work except the django user authentication system it seems to write session to table django_session and somehow it does some sort of validation because when i provide wrong credentials custom error message is returned. the this is that @login_required() in views always returns false. and access to app admin page is denied. in the research i've done it may be by the lack of parameter WSGIPassAuthorization On in the apache2.conf file but it didn't work.

my virtualhost file:

<VirtualHost *:80>
    ServerName myapp.cl
    ServerAlias *.myapp.cl myapp.cl
    Alias /static /home/ubuntu/django_projects/myapp/static
    <Directory /home/ubuntu/django_projects/myapp/static>
        Require all granted
    </Directory>
    <Directory /home/ubuntu/django_projects/myapp/myapp>
        <Files wsgi.py>
            Require all granted
        </Files>
    </Directory>
    WSGIProcessGroup myapp
    WSGIDaemonProcess myapp python-path=/home/ubuntu/django_projects/myapp
    WSGIScriptAlias / /home/ubuntu/django_projects/myapp/myapp/wsgi.py process-group=myapp application-group=%{GLOBAL}
</VirtualHost>

and my url_file:

rom django.conf.urls import url, include
from django.contrib import admin
from . import views as views_ini
from django.contrib.auth.views import login, logout,  password_change, password_change_done
from myapp.views import aviso_sistema, inicio, LoginForm



urlpatterns = [
    url(r'^admin/', admin.site.urls),


    url(r'^login/$', login, {'template_name': 'loginrex.html',
                                       'authentication_form': LoginForm,
                                       }, name='django.contrib.auth.views.login'),

    url(r'^logout/$', logout, {'next_page': '/login'}, name='logout'),


    # ....Avisos del sistema
    url(r'^aviso_sistema/(?P<titulo>[\w\ ]+)/(?P<detalle>[\w\ ]+)/(?P<tipo>[\w\ ]+)$', aviso_sistema, name='aviso_sistema'),

]

my /myapp/myapp/views.py

from django.shortcuts import render, redirect, get_object_or_404
from django.contrib.auth.decorators import login_required
from django.contrib.auth.forms import AuthenticationForm
from django import forms
from myapp.definiciones.preferenciasDefi import unaPref
from myapp.deposito import procesoAnombre
from django.shortcuts import redirect
from django.conf import settings

@login_required()
def inicio(request):
    #if not request.user.is_authenticated:
    #   raise ValueError('Usuario OK pero no logueado')
    #   return redirect('%s?next=%s' % (settings.LOGIN_URL, request.path))

    mdp = unaPref('mesActual')
    dato = procesoAnombre(mdp)
    datos = {
        'mmp': dato,
        'idv': ' ',
    }
    return render(request, 'inicio.html', datos)

class LoginForm(AuthenticationForm):
    username = forms.CharField(label="Usuario", max_length=30,
                               widget=forms.TextInput(attrs={'class': 'form-control', 'name': 'username'}),
                               )
    password = forms.CharField(label="Clave", max_length=30,
                               widget=forms.PasswordInput(attrs={'class': 'form-control', 'name': 'password'}),
                               )

# ........Genera los avisos del sistema
def aviso_sistema(request, titulo, detalle, tipo):

    datos = {
        'titulo': titulo,
        'detalle': detalle,
        'tipo': tipo,
    }
    return render(request, 'aviso_sistema.html', datos)

i really would appreciate some help with this. Thanks

Answer 1

i finally found the problem, it was two variables located in settings.py that have to be set to False.

• CSRF_COOKIE_SECURE
• SESSION_COOKIE_SECURE

in local testserver is not an issue because it doesn't make any security validations. probably they have to be equal to True when the SSL certificate is applied to site.