#21322 closed Cleanup/optimization (fixed)

Cookie-averse users get CSRF failure without a clear explanation

Reported by: olau Owned by: bouke
Component: CSRF Version: master
Severity: Normal Keywords:
Cc: bouke Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

This easiest way to see this it to start a new project, set DEBUG=False, start the dev server, disable cookies in the browser and go to /admin/ and try to login. The result is an inexplicable (to an end-user) "403 CSRF verification failed".

The CSRF view already gives a relatively friendly (although not translated) explanation if Referer headers are turned off. I suggest adding one for a non-existing cookie too, patch attached against latest trunk.

I'm attaching a little test project in a tarball.

I think this is an old problem, the patch here was originally against 1.2 (credit goes to Henrik Levkowetz).

Attachments (2)

csrf-cookie.diff (1.4 KB) - added by olau 17 months ago.
Patch against 382d324ccc0753962ec31ac23a4bde4fb2b9454e with text for NO_CSRF_COOKIE case
t.tar.gz (1.5 KB) - added by olau 17 months ago.
Small test project that reproduces the problem

Download all attachments as: .zip

Change History (7)

Changed 17 months ago by olau

Patch against 382d324ccc0753962ec31ac23a4bde4fb2b9454e with text for NO_CSRF_COOKIE case

Changed 17 months ago by olau

Small test project that reproduces the problem

comment:1 Changed 17 months ago by claudep

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted
  • Type changed from Bug to Cleanup/optimization

I created #21324 to track the non-translated issue.

comment:2 Changed 17 months ago by claudep

  • Patch needs improvement set

Now that #21324 has been fixed, the patch needs to accommodate for content translation.

comment:3 Changed 17 months ago by bouke

  • Owner changed from nobody to bouke
  • Patch needs improvement unset
  • Status changed from new to assigned

I've rebased the patch and added tests that check for the various error messages: https://github.com/django/django/pull/1859

comment:4 Changed 17 months ago by bouke

  • Cc bouke added

comment:5 Changed 17 months ago by Claude Paroz <claude@…>

  • Resolution set to fixed
  • Status changed from assigned to closed

In 9b95fa7777c4b484f8053b87f48d65c853945f19:

Fixed #21322 -- Error message when CSRF cookie is missing

Thanks to Henrik Levkowetz and olau for their reports and initial patches.

Note: See TracTickets for help on using tickets.
Back to Top