CSRF token issue when running Phoenix in a Docker container locally

Recently I wrote a Dockerfile to build and run our Phoenix app in a container in production mode.

When running it locally, everything seemed to work, but when I tried to submit a form, I got a CSRF token error.

My colleague Scott Hamilton figured out that the problem was this bit of configuration for the session - secure: Mix.env() == :prod. I wasn’t’ running https locally, but my containerized Phoenix app was configured not to accept cookies in that case.

The solution was to set that secure: configuration at runtime based on an environment variable, so that I could waive that requirement when running “production” in a local container. (Another option would be to actually run HTTPS locally.)

Just wanted to leave a note about this in case anybody else runs into the problem.


I had a similar problem to this.

I was using secure: true in my endpoint.ex for Plug.Conn session options and it was making my Wallaby test fail (user could not log in as cookie not sent over http).

However, I am very confused because I have been using this config for a long time, including running the server locally and visiting it and logging in over http. Even when running the server in docker with port 4000 exposed and mapped I can visit the site and log in and use normal functionality.