Invalid token after http request

I use the UE4.27.2 engine for my AR application on android. I also have my local website on Django + MySQL. So, I want to get a connection via HTTP requests from the application to the server. I have already tried the VaRest plugin and Fetch. When I make requests from the Editor, everything is fine and I get a 200 code. But, after building on android (no matter if it’s development or shippable), the GET request goes to the server, gets a token and sends a Post request with this token. After that, an error occurs
[django.security.csrf:log_response:241] Forbidden (CSRF cookie not set.): /auth/login/
[django.server:log_message:187] “POST /auth/login/ HTTP/1.1” 403 2870.

Once again, I note that using any plugin for REST requests, everything works fine in the editor, but after packaging, the token is not sent.

Can anyone help?

CSRF is short for Cross Site Request Forgery. So your ar app is not passing the restrictions set by django.
You need to pass in the CSRF middleware token with your post request.

You would need to make a request first to call csrf.py => get_token()

Edit: Ok So just read you have the token
Try

As the poster mentions you could be accessing the site non-securely so either with a self signed ssl certificate or even lack of any that might be triggering further problems.

Also important step, are you passing it as csrfmiddlewaretoken in your post request?

After a GET request, I receive a cookie with a token in the Response Header: csrftoken=ErfuHlQV8eiKk1MMZm0iBN77SogyWcB8; from which I separate all unnecessary information except for its base, and write only ErfuHlQV8eiKk1MMZm0iBN77SogyWcB8 to the variable. Then, when I make a Post request, I set the header of the X-CSRFToken and the body of the variable in the Set Header. Everything works fine when requesting from the editor, but on android it refuses

To do post requests on android you need to add permissions into your manifest

<uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />

I already have this in androidManifest.


Thank you for trying to help. I’m currently reworking my backend to use json, which I can at least take data from. Maybe later I will try to find other ways with gpt-4

I also found a thread from 2014 with a similar problem. I just wonder if the developers have made changes to libcurl, or if it has been like this for 9 years.
Using Http Module on Android - Programming & Scripting / Multiplayer & Networking - Epic Developer Community Forums (unrealengine.com)

Curl could also be stopping you because of an invalid ssl certificate. Self signed are still seen as invalid.

You can see if it has the added option
-k, --insecure like in the standard curl to omit the ssl check for now.

It sounds like an interesting and logical solution, but I use a project with blueprints (although I have a generated solution). Most likely, you will have to go into the VaRest files and insert this parameter there. Thanks for the tip, I will try it when I have time