Cookie-averse users get CSRF failure without a clear explanation
|Reported by:||Ole Laursen||Owned by:||Bouke Haarsma|
|Cc:||Bouke Haarsma||Triage Stage:||Accepted|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
This easiest way to see this it to start a new project, set DEBUG=False, start the dev server, disable cookies in the browser and go to /admin/ and try to login. The result is an inexplicable (to an end-user) "403 CSRF verification failed".
The CSRF view already gives a relatively friendly (although not translated) explanation if Referer headers are turned off. I suggest adding one for a non-existing cookie too, patch attached against latest trunk.
I'm attaching a little test project in a tarball.
I think this is an old problem, the patch here was originally against 1.2 (credit goes to Henrik Levkowetz).
Change History (7)
comment:1 Changed 3 years ago by
|Triage Stage:||Unreviewed → Accepted|
|Type:||Bug → Cleanup/optimization|
comment:3 Changed 3 years ago by
|Owner:||changed from nobody to Bouke Haarsma|
|Patch needs improvement:||unset|
|Status:||new → assigned|