Opened 7 years ago

Closed 6 years ago

Last modified 4 years ago

#10166 closed (wontfix)

Cookie test fails in login() view

Reported by: iakbar Owned by: nobody
Component: contrib.auth Version: 1.0
Severity: Keywords: authentication, cookie, login
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: UI/UX:

Description

The cookie test in the django.contrib.auth.views.login() view doesn't work as expected.

The url is set up as follows.

    (r'^login/$', 'django.contrib.auth.views.login')

After disabling cookies in the browser...

  1. the login view is called via a GET request and displays the login

template/form (the test cookie is set).

  1. The form is posted back to the login view (the view is supposed to check

for the test cookie and throw an error if the cookie is not found. This
check doesn't happen).

The documentation of the init method of AuthenticationForm says it
will validate that cookies are enabled only if a request is passed in
when instantiating the form. But on POST the login view doesn't pass
the request to AuthenticationForm.

Change History (7)

comment:1 Changed 7 years ago by iakbar

  • Component changed from Uncategorized to Authentication
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

comment:2 Changed 7 years ago by nanotube

  • Has patch set
  • Needs tests set

The fix is simple. Line 21 of the default django.contrib.auth.views file (of the 1.0.2 release) should be :

form = AuthenticationForm(data=request.POST, request=request)

instead of

form = AuthenticationForm(data=request.POST)

comment:3 Changed 7 years ago by jacob

  • milestone set to 1.1
  • Triage Stage changed from Unreviewed to Accepted

comment:4 Changed 6 years ago by whiskybar

form = AuthenticationForm?(data=request.POST, request=request)

will enable the cookie test again. The question is, is it intended? Won't some existing applications break? The cookie test has been virtually disabled since [7962] which removed the argument request when AuthenticationForm was created. AuthenticationForm logic is, the test cookie is being checked for if and only if the request has been passed in __init__.

comment:5 Changed 6 years ago by primski

logic is, the test cookie is being checked for if and only if the request has been passed in init.

true, but it fails out for the generic view users.

Perhaps an optional variable could be passed to django.contrib.auth.login view, f.i. 'cookie_test = False', which would either pass the request object to the form or not.

a simple one liner would do the trick then:

 form = AuthenticationForm(data=request.POST, request = request) if cookie_test else AuthenticationForm(data=request.POST)

comment:6 Changed 6 years ago by jacob

  • Resolution set to wontfix
  • Status changed from new to closed

Yeah, the cookie test is deliberately disabled by default in the login view, and we'll keep it that way.

comment:7 Changed 4 years ago by jacob

  • milestone 1.1 deleted

Milestone 1.1 deleted

Note: See TracTickets for help on using tickets.
Back to Top