Session value missing after redirect with django python-social-auth

Asked 3/6, 2016 at 14:41 Answered 2/11, 2022 at 21:27

Solved django authentication localhost session-cookies python-social-auth

I am working on a django project using python-social-auth to do authentication with facebook. I am running the django server on localhost and have facebook set up with my application to redirect to http://127.0.0.1:8000/complete/facebook/, which begins python-social-auth's pipeline to authenticate a user. I am using postgres as my database.

When this method is called and tries to authenticate, it cannot find information on the session. From https://github.com/omab/python-social-auth/issues/534 , I think the sessionid cookie is being overwritten. If I send the facebook redirect to a different url to load a static page without authentication, there is no error but I am also not authenticating or getting any information from facebook.

How would I go about not overwriting the sessionid cookie -if of course, that is the actual issue- or is there another problem that I might be missing here?

[03/Jun/2016 05:19:58] "GET /login/facebook/?next=/lithium-web/ HTTP/1.1" 302 0
Internal Server Error: /complete/facebook/
Traceback (most recent call last):
  File "/Users/mac/Desktop/lithium-web/lib/python2.7/site-packages/django/core/handlers/base.py", line 149, in get_response
    response = self.process_exception_by_middleware(e, request)
  File "/Users/mac/Desktop/lithium-web/lib/python2.7/site-packages/django/core/handlers/base.py", line 147, in get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/Users/mac/Desktop/lithium-web/lib/python2.7/site-packages/django/views/decorators/cache.py", line 57, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/Users/mac/Desktop/lithium-web/lib/python2.7/site-packages/django/views/decorators/csrf.py", line 58, in wrapped_view
    return view_func(*args, **kwargs)
  File "/Users/mac/Desktop/lithium-web/lib/python2.7/site-packages/social/apps/django_app/utils.py", line 51, in wrapper
    return func(request, backend, *args, **kwargs)
  File "/Users/mac/Desktop/lithium-web/lib/python2.7/site-packages/social/apps/django_app/views.py", line 28, in complete
    redirect_name=REDIRECT_FIELD_NAME, *args, **kwargs)
  File "/Users/mac/Desktop/lithium-web/lib/python2.7/site-packages/social/actions.py", line 43, in do_complete
    user = backend.complete(user=user, *args, **kwargs)
  File "/Users/mac/Desktop/lithium-web/lib/python2.7/site-packages/social/backends/base.py", line 41, in complete
    return self.auth_complete(*args, **kwargs)
  File "/Users/mac/Desktop/lithium-web/lib/python2.7/site-packages/social/utils.py", line 229, in wrapper
    return func(*args, **kwargs)
  File "/Users/mac/Desktop/lithium-web/lib/python2.7/site-packages/social/backends/facebook.py", line 71, in auth_complete
    state = self.validate_state()
  File "/Users/mac/Desktop/lithium-web/lib/python2.7/site-packages/social/backends/oauth.py", line 88, in validate_state
    raise AuthStateMissing(self, 'state')
AuthStateMissing: Session value state missing.

Tearle answered 3/6, 2016 at 14:41 Comment(0)

This error was due to the session cookie not being saved over a non-https url. When testing on localhost with SESSION_COOKIE_SECURE set to True in django, the session cookies will not persist between redirect and you will get this error in any kind of page change where session would be checked.

SESSION_COOKIE_SECURE=False for testing and it's all good

Tearle answered 1/7, 2016 at 21:19 Comment(4)

how do you do it in production though? – Mismatch 5/9, 2016 at 23:23

they don’t, they just left the job! :) – Zelazny 6/9, 2016 at 12:8

Just set the value to True if you want to only allow session cookies over https connection (which you probably do) – Tearle 28/10, 2016 at 15:53

This is not working – Gurule 25/2, 2023 at 21:7

Solved it by removing LOGIN_REDIRECT_URL from django settings.

Actually python_social_auth pipeline structure sets LOGIN_REDIRECT_URL as next i.e redirect to url, but unfortunately they didn't handled named patterns. So, when we set LOGIN_REDIRECT_URL to myapp:index it produces this error.

So, either remove this setting or use direct patterns i.e

LOGIN_REDIRECT_URL = myapp/index

Venule answered 12/4, 2018 at 15:21 Comment(0)

I also had this problem. Solved it by adding "SOCIAL_AUTH_REDIRECT_IS_HTTPS = True" in my settings.py file, since my configuration is using nginx to redirect to HTTPS. I found this answer only by reading the documentation here: https://python-social-auth-docs.readthedocs.io/en/latest/configuration/settings.html

Emancipated answered 24/7, 2018 at 16:21 Comment(0)

In my case, this had to do with v96-era browsers changing the default for SameSite cookies from "None"/"–" to "Lax" and this at least affects multisite authentication on HTTP like localhost (maybe not HTTPS). Old django 2.1 does not let you specify these to be "None", so it stopped working.

For now in Safari 15.2, the old cookies still work.

Howund answered 6/1, 2022 at 18:30 Comment(0)

It's possible to simulate it while testing. If we remove / don't include the session setup shown here

def setUp(self):
    session = self.client.session
    session['facebook_state'] = '1'
    session.save()

then you'll be able to get the same error

social_core.exceptions.AuthStateMissing: Session value state missing.

Found also other people going through this issue

Overall it was fixed by one or more of the following added in settings.py (only to be used in development environments)

SOCIAL_AUTH_REDIRECT_IS_HTTPS = True
SESSION_COOKIE_SAMESITE = None
SESSION_COOKIE_HTTPONLY = False
SOCIAL_AUTH_FIELDS_STORED_IN_SESSION = ['facebook_state']

Openfaced answered 2/11, 2022 at 21:27 Comment(0)

Recommended topics

Hot tags