session state value missing: django/heroku/gitub oauth2

[Kathy Flint]

Authentication errors on "session state value missing"

Configuration is social.backends.github.GithubOAuth2 integrated into a Django app running on Heroku host.

I can see that response cookies are not getting set during the callback portion of the oauth2 

This is the request

https://alliance-dev.herokuapp.com/complete/github/?code=583d6ceb17af4b6bce71&redirect_state=8f5b964wvnDPk6ppC0fHvLCJ002UyUd2&state=8f5b964wvnDPk6ppC0fHvLCJ002UyUd2

Response is missing the csrftoken and sessionid cookies.

Pipeline is known good - same configuration working in different environments.

SOCIAL_AUTH_PIPELINE = (

    'social.pipeline.social_auth.social_details',

    'social.pipeline.social_auth.social_uid',

    'social.pipeline.social_auth.auth_allowed',

    'social.pipeline.social_auth.social_user',

    'social.pipeline.social_auth.associate_user',

    'social.pipeline.social_auth.load_extra_data',

    'apps.accounts.pipeline.get_user_teams',

    'social.pipeline.user.user_details',

)

Protocol is https, and these potentially relevant settings are currently applied. I have tried several combinations of true/false with the first 4.

SESSION_COOKIE_SECURE = 'True'

SESSION_COOKIE_HTTPONLY = 'True'

CSRF_COOKIE_SECURE = 'True'

CSRF_COOKIE_HTTPONLY = 'True'

SOCIAL_AUTH_REDIRECT_IS_HTTPS = 'True'

Attached is a settings dump

[Kathy Flint]

To state my question more clearly:

It seems like, in a happy path, a request to <domain>complete/github?<parm string> sets 2 cookies on the request header which are then echoed in the response header. These are named csrftoken and sessionid.

Fairly stated?

In my sad path, my request to 

https://alliance-dev.herokuapp.com/complete/github/?code=05693etc

with header 

              "name": "Cookie",

              "value": "csrftoken=W1Z3RWTetc"

does not reflect those cookies in the response. 

I am having trouble getting to a stack trace, so I can't tell if the session state error is caused by the missing cookies or vice-versa.

I would welcome ideas about how to solve OR suggestions about how to see an exception trace.  I do not see the error in server logs. These settings are at default, which I assume == false

<backend name>_SOCIAL_AUTH_RAISE_EXCEPTIONS

SOCIAL_AUTH_RAISE_EXCEPTIONS

I can attach a .har file for both happy and sad path (same app different server), if useful.

[Kathy Flint]

This question is now stated more fully on StackOverflow at http://stackoverflow.com/questions/38380421/python-social-auth-on-django-heroku-github-session-state-value-missing

On Wednesday, July 13, 2016 at 6:06:08 PM UTC-5, Kathy Flint wrote: