Django

Code

Ticket #7364 (closed: fixed)

Opened 6 months ago

Last modified 4 months ago

Login view is cached when caching middleware is turned on

Reported by: clong@twothirtyfour.com Assigned to: nobody
Milestone: 1.0 Component: Contrib apps
Version: SVN Keywords: auth, login, cache
Cc: Triage Stage: Accepted
Has patch: 1 Needs documentation: 0
Needs tests: 0 Patch needs improvement: 0

Description

This causes a problem, because the login view expects a cookie to be set when a user visits the login page. If it's not set it will fail the login, but will set the cookie.

Quick steps:

  1. Make a request to the login page without any GET or POST parameters.
  2. Web server returns the cached page. (Note: this doesn’t set the cookie because no Python code has been run, the page returned is static)
  3. The user enters in the login information and submits the information. This is sent to the server as a POST.
  4. The server, because of the POST, now runs the login view. This fails because there was no cookie previously set, but it does set the cookie that should have been previously set.
  5. The error message shown to the user is as if it was a failed attempt. If the user reenters the information, the login will now work as the cookie is now set.

I attached a diff that uses the 'never_cache' decorator to fix this.

Attachments

auth-caching.diff (0.6 kB) - added by clong@twothirtyfour.com on 06/04/08 13:41:11.
admin_login_cache.diff (1.4 kB) - added by permon on 07/03/08 19:39:24.
admin_login_cache-8161.diff (1.4 kB) - added by jcassee on 07/31/08 14:54:34.
Updated patch to revision 8161
7364-admin_login_cache-8345.diff (1.7 kB) - added by jcassee on 08/14/08 05:48:29.

Change History

06/04/08 13:41:11 changed by clong@twothirtyfour.com

  • attachment auth-caching.diff added.

07/03/08 19:39:24 changed by permon

  • attachment admin_login_cache.diff added.

07/03/08 19:43:48 changed by permon

  • needs_better_patch changed.
  • needs_tests changed.
  • needs_docs changed.

Previous patch corrected general behaviour of login page. But this one was not the one used in contrib.admin.

07/31/08 14:54:34 changed by jcassee

  • attachment admin_login_cache-8161.diff added.

Updated patch to revision 8161

08/08/08 11:35:06 changed by ericholscher

  • stage changed from Unreviewed to Accepted.
  • milestone set to 1.0.

08/14/08 05:48:03 changed by jcassee

Diff updated to revision 8345. Also changed to older decorators syntax for compatibility with Python 2.3.

08/14/08 05:48:29 changed by jcassee

  • attachment 7364-admin_login_cache-8345.diff added.

08/14/08 07:54:47 changed by julianb

What about that: r7692?

08/14/08 07:57:58 changed by jcassee

Sorry, julianb, is this comment directed at the correct ticket? I'm not sure what the form has to do with the view being cached.

08/14/08 11:17:43 changed by julianb

This ticket #7364: "causes a problem, because the login view expects a cookie to be set when a user visits the login page"

Changeset [7692]: "login view no longer assumes that set_test_cookie has been called"

08/14/08 11:41:23 changed by jcassee

You are right, I guess. I thought it would be a bad idea to cache the login page in any case, as you may want to display a different text if the user is already logged in (the default template does not). The cookie thing was not my main concern.

08/14/08 14:14:07 changed by julianb

Okay, seems reasonable, sorry for thinking mainly about cookies ;)

I also see that there are some tickets open which aim to change how and when (test-)cookies are set. It's still important to see whether caching affects any new solution.

08/15/08 12:10:15 changed by gwilson

  • status changed from new to closed.
  • resolution set to fixed.

(In [8383]) Fixed #7364 -- Never cache the contrib.auth login view.

Add/Change #7364 (Login view is cached when caching middleware is turned on)




Change Properties
Action