Opened 3 years ago

Closed 3 years ago

#21322 closed Cleanup/optimization (fixed)

Cookie-averse users get CSRF failure without a clear explanation

Reported by: Ole Laursen Owned by: Bouke Haarsma
Component: CSRF Version: master
Severity: Normal Keywords:
Cc: Bouke Haarsma Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

This easiest way to see this it to start a new project, set DEBUG=False, start the dev server, disable cookies in the browser and go to /admin/ and try to login. The result is an inexplicable (to an end-user) "403 CSRF verification failed".

The CSRF view already gives a relatively friendly (although not translated) explanation if Referer headers are turned off. I suggest adding one for a non-existing cookie too, patch attached against latest trunk.

I'm attaching a little test project in a tarball.

I think this is an old problem, the patch here was originally against 1.2 (credit goes to Henrik Levkowetz).

Attachments (2)

csrf-cookie.diff (1.4 KB) - added by Ole Laursen 3 years ago.
Patch against 382d324ccc0753962ec31ac23a4bde4fb2b9454e with text for NO_CSRF_COOKIE case
t.tar.gz (1.5 KB) - added by Ole Laursen 3 years ago.
Small test project that reproduces the problem

Download all attachments as: .zip

Change History (7)

Changed 3 years ago by Ole Laursen

Attachment: csrf-cookie.diff added

Patch against 382d324ccc0753962ec31ac23a4bde4fb2b9454e with text for NO_CSRF_COOKIE case

Changed 3 years ago by Ole Laursen

Attachment: t.tar.gz added

Small test project that reproduces the problem

comment:1 Changed 3 years ago by Claude Paroz

Triage Stage: UnreviewedAccepted
Type: BugCleanup/optimization

I created #21324 to track the non-translated issue.

comment:2 Changed 3 years ago by Claude Paroz

Patch needs improvement: set

Now that #21324 has been fixed, the patch needs to accommodate for content translation.

comment:3 Changed 3 years ago by Bouke Haarsma

Owner: changed from nobody to Bouke Haarsma
Patch needs improvement: unset
Status: newassigned

I've rebased the patch and added tests that check for the various error messages: https://github.com/django/django/pull/1859

comment:4 Changed 3 years ago by Bouke Haarsma

Cc: Bouke Haarsma added

comment:5 Changed 3 years ago by Claude Paroz <claude@…>

Resolution: fixed
Status: assignedclosed

In 9b95fa7777c4b484f8053b87f48d65c853945f19:

Fixed #21322 -- Error message when CSRF cookie is missing

Thanks to Henrik Levkowetz and olau for their reports and initial patches.

Note: See TracTickets for help on using tickets.
Back to Top