Opened 15 years ago

Closed 15 years ago

Last modified 12 years ago

#10166 closed (wontfix)

Cookie test fails in login() view

Reported by: iakbar Owned by: nobody
Component: contrib.auth Version: 1.0
Severity: Keywords: authentication, cookie, login
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The cookie test in the django.contrib.auth.views.login() view doesn't work as expected.

The url is set up as follows.

    (r'^login/$', 'django.contrib.auth.views.login')

After disabling cookies in the browser...

  1. the login view is called via a GET request and displays the login

template/form (the test cookie is set).

  1. The form is posted back to the login view (the view is supposed to check

for the test cookie and throw an error if the cookie is not found. This
check doesn't happen).

The documentation of the init method of AuthenticationForm says it
will validate that cookies are enabled only if a request is passed in
when instantiating the form. But on POST the login view doesn't pass
the request to AuthenticationForm.

Change History (7)

comment:1 by iakbar, 15 years ago

Component: UncategorizedAuthentication

comment:2 by nanotube, 15 years ago

Has patch: set
Needs tests: set

The fix is simple. Line 21 of the default django.contrib.auth.views file (of the 1.0.2 release) should be :

form = AuthenticationForm(data=request.POST, request=request)

instead of

form = AuthenticationForm(data=request.POST)

comment:3 by Jacob, 15 years ago

milestone: 1.1
Triage Stage: UnreviewedAccepted

comment:4 by whiskybar, 15 years ago

form = AuthenticationForm?(data=request.POST, request=request)

will enable the cookie test again. The question is, is it intended? Won't some existing applications break? The cookie test has been virtually disabled since [7962] which removed the argument request when AuthenticationForm was created. AuthenticationForm logic is, the test cookie is being checked for if and only if the request has been passed in __init__.

comment:5 by primski, 15 years ago

logic is, the test cookie is being checked for if and only if the request has been passed in init.

true, but it fails out for the generic view users.

Perhaps an optional variable could be passed to django.contrib.auth.login view, f.i. 'cookie_test = False', which would either pass the request object to the form or not.

a simple one liner would do the trick then:

 form = AuthenticationForm(data=request.POST, request = request) if cookie_test else AuthenticationForm(data=request.POST)

comment:6 by Jacob, 15 years ago

Resolution: wontfix
Status: newclosed

Yeah, the cookie test is deliberately disabled by default in the login view, and we'll keep it that way.

comment:7 by Jacob, 12 years ago

milestone: 1.1

Milestone 1.1 deleted

Note: See TracTickets for help on using tickets.
Back to Top