Opened 11 years ago
Closed 11 years ago
#21322 closed Cleanup/optimization (fixed)
Cookie-averse users get CSRF failure without a clear explanation
Reported by: | Ole Laursen | Owned by: | Bouke Haarsma |
---|---|---|---|
Component: | CSRF | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Bouke Haarsma | Triage Stage: | Accepted |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
This easiest way to see this it to start a new project, set DEBUG=False, start the dev server, disable cookies in the browser and go to /admin/ and try to login. The result is an inexplicable (to an end-user) "403 CSRF verification failed".
The CSRF view already gives a relatively friendly (although not translated) explanation if Referer headers are turned off. I suggest adding one for a non-existing cookie too, patch attached against latest trunk.
I'm attaching a little test project in a tarball.
I think this is an old problem, the patch here was originally against 1.2 (credit goes to Henrik Levkowetz).
Attachments (2)
Change History (7)
by , 11 years ago
Attachment: | csrf-cookie.diff added |
---|
comment:1 by , 11 years ago
Triage Stage: | Unreviewed → Accepted |
---|---|
Type: | Bug → Cleanup/optimization |
I created #21324 to track the non-translated issue.
comment:2 by , 11 years ago
Patch needs improvement: | set |
---|
Now that #21324 has been fixed, the patch needs to accommodate for content translation.
comment:3 by , 11 years ago
Owner: | changed from | to
---|---|
Patch needs improvement: | unset |
Status: | new → assigned |
I've rebased the patch and added tests that check for the various error messages: https://github.com/django/django/pull/1859
comment:4 by , 11 years ago
Cc: | added |
---|
comment:5 by , 11 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Patch against 382d324ccc0753962ec31ac23a4bde4fb2b9454e with text for NO_CSRF_COOKIE case