[GH-ISSUE #2282] CSRF token cookie overlap on other subdomain #3358

New issue

Open

opened 2026-03-14 07:12:27 +03:00 by kerem · 0 comments

kerem commented 2026-03-14 07:12:27 +03:00

Owner

Copy link

Originally created by @Supermanu on GitHub (Aug 28, 2025).
Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/2282

Server Info (please complete the following information):

• OS: Ubuntu 22.04
• Browser: Firefox
• RMM Version: 1.2.0

Installation Method:

• Standard
• Standard with --insecure flag at install
• Docker

Agent Info (please complete the following information):

• Agent version (as shown in the 'Summary' tab of the agent from web UI): v2.9.1
• Agent OS: -

Describe the bug
We have an other Django application with a different subdomain but sharing the same root domain as Tacticalrmm: mesh.mydomain, api.mydomain, rmm.mydomain for Tacticalrmm and myapp.mydomain for the other app. The issue is that Tacticalrmm writes the csrftoken in .mydomain conflicting with the other Django application which correctly writes to myapp.domain. The other application choose, for authentification, the wrong csrftoken (the first one it finds) and thus fails to be recognized. As a workaround, I changed the SESSION_COOKIE_DOMAIN and CSRF_COOKIE_DOMAIN variables in settings.py to None in order to force Tacticalrmm to writes the csrftoken to rmm.mydomain.

Expected behavior
If Tacticalrmm needs to do cross-subdomain authentification, to change the name csrftoken to something of its own with CSRF_COOKIE_NAME setting.

Best regards

Originally created by @Supermanu on GitHub (Aug 28, 2025). Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/2282 **Server Info (please complete the following information):** - OS: Ubuntu 22.04 - Browser: Firefox - RMM Version: 1.2.0 **Installation Method:** - [ ] Standard - [ ] Standard with `--insecure` flag at install - [ ] Docker **Agent Info (please complete the following information):** - Agent version (as shown in the 'Summary' tab of the agent from web UI): v2.9.1 - Agent OS: - **Describe the bug** We have an other Django application with a different subdomain but sharing the same root domain as Tacticalrmm: `mesh.mydomain`, `api.mydomain`, `rmm.mydomain` for Tacticalrmm and `myapp.mydomain` for the other app. The issue is that Tacticalrmm writes the csrftoken in `.mydomain` conflicting with the other Django application which correctly writes to `myapp.domain`. The other application choose, for authentification, the wrong csrftoken (the first one it finds) and thus fails to be recognized. As a workaround, I changed the `SESSION_COOKIE_DOMAIN` and `CSRF_COOKIE_DOMAIN` variables in `settings.py` to `None` in order to force Tacticalrmm to writes the csrftoken to `rmm.mydomain`. **Expected behavior** If Tacticalrmm needs to do cross-subdomain authentification, to change the name `csrftoken` to something of its own with [CSRF_COOKIE_NAME](https://docs.djangoproject.com/en/5.2/ref/settings/#csrf-cookie-name) setting. Best regards

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

master

1.0.0

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.20.1

v0.20.0

v0.19.4

v0.19.3

v0.19.2

v0.19.1

v0.19.0

v0.18.2

v0.18.1

v0.18.0

v0.17.5

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.5

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.12

v0.15.11

v0.15.10

v0.15.9

v0.15.8

v0.15.7

v0.15.6

v0.15.5

v0.15.4

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.8

v0.14.7

v0.14.6

v0.14.5

v0.14.4

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.4

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.2

v0.9.1

v0.9.0

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.32

v0.4.31

v0.4.30

v0.4.29

v0.4.28

v0.4.27

v0.4.26

v0.4.25

v0.4.24

v0.4.23

v0.4.22

v0.4.21

v0.4.20

v0.4.19

v0.4.18

v0.4.17

v0.4.16

v0.4.15

v0.4.14

v0.4.13

v0.4.12

v0.4.11

v0.4.10

v0.4.9

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.23

v0.2.22

v0.2.21

v0.2.20

v0.2.19

v0.2.18

v0.2.17

v0.2.16

v0.2.15

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.8

v0.1.7

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels   

In Process

  

bug

  

bug

  

dev-triage

  

documentation

  

duplicate

  

enhancement

  

fixed

  

good first issue

  

help wanted

  

integration

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

requires agent update

  

security

  

ui tweak

  

wontfix

No labels

In Process

bug

bug

dev-triage

documentation

duplicate

enhancement

fixed

good first issue

help wanted

integration

invalid

pull-request

question

requires agent update

security

ui tweak

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/tacticalrmm#3358

No description provided.