Skip to content

[bug] Using an IP address or local hostname as DASHBOARD_DOMAIN silently breaks CSRF, sessions, and login #569

New issue
New issue
Open
Open
[bug] Using an IP address or local hostname as DASHBOARD_DOMAIN silently breaks CSRF, sessions, and login#569
Labels
bugSomething isn't working
@dhrm1k

Description

@dhrm1k
dhrm1k
opened on Feb 23, 2026

Describe the bug
When DASHBOARD_DOMAIN is set to an IP address (e.g. 192.168.1.22) or a local hostname without a real TLD (e.g. dharmikhomelab), the dashboard appears to load but login is completely broken. Every form submission returns a CSRF verification failure with no useful indication of why.

This affects anyone running docker-openwisp on a homelab, internal server, or any setup without a public domain name.

In settings.py inside the dashboard image, the following code runs at startup:

ROOT_DOMAIN = "." + tldextract.extract(os.environ["DASHBOARD_DOMAIN"]).registered_domain
CSRF_COOKIE_DOMAIN = ROOT_DOMAIN
SESSION_COOKIE_DOMAIN = ROOT_DOMAIN

tldextract is designed to parse real public TLDs. When given a raw IP or a local hostname, registered_domain returns an empty string, so ROOT_DOMAIN becomes ".".

There are no errors in any logs pointing to this. The dashboard loads, the login page renders, but every login attempt fails with CSRF verification failed. Request aborted.

Steps To Reproduce

  1. Set DASHBOARD_DOMAIN=192.168.1.22 (or any raw IP / local hostname)
    in .env
  2. Run make start
  3. Navigate to https://192.168.1.22/admin/login/
  4. Try to log in and it gives CSRF error every time

You can confirm the issue by running inside the dashboard container:

docker exec docker-openwisp-dashboard-1 bash -c \
  "DJANGO_SETTINGS_MODULE=openwisp.settings python3 -c \
  'from django.conf import settings; print(settings.CSRF_COOKIE_DOMAIN)'"

It will print . instead of a real domain.

Expected behavior
When DASHBOARD_DOMAIN is a raw IP or local hostname, OpenWISP should either fall back gracefully so login still works, or raise a clear error at startup explaining the domain is invalid, not silently corrupt cookie
settings and make the whole dashboard unusable.

System Informatioon:

  • docker-openwisp: latest / edge
  • Deployed on: Ubuntu 24.04 homelab server running CasaOS
  • DASHBOARD_DOMAIN values tested: raw IP 192.168.1.22, local
    hostname dharmikhomelab

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions