Opened 11 years ago
Closed 10 years ago
#21322 closed Cleanup/optimization (fixed)
Cookie-averse users get CSRF failure without a clear explanation
| Reported by: | Ole Laursen | Owned by: | Bouke Haarsma |
|---|---|---|---|
| Component: | CSRF | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Bouke Haarsma | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
This easiest way to see this it to start a new project, set DEBUG=False, start the dev server, disable cookies in the browser and go to /admin/ and try to login. The result is an inexplicable (to an end-user) "403 CSRF verification failed".
The CSRF view already gives a relatively friendly (although not translated) explanation if Referer headers are turned off. I suggest adding one for a non-existing cookie too, patch attached against latest trunk.
I'm attaching a little test project in a tarball.
I think this is an old problem, the patch here was originally against 1.2 (credit goes to Henrik Levkowetz).
Attachments (2)
Change History (7)
by , 11 years ago
| Attachment: | csrf-cookie.diff added |
|---|
comment:1 by , 11 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|---|
| Type: | Bug → Cleanup/optimization |
I created #21324 to track the non-translated issue.
comment:2 by , 10 years ago
| Patch needs improvement: | set |
|---|
Now that #21324 has been fixed, the patch needs to accommodate for content translation.
comment:3 by , 10 years ago
| Owner: | changed from to |
|---|---|
| Patch needs improvement: | unset |
| Status: | new → assigned |
I've rebased the patch and added tests that check for the various error messages: https://github.com/django/django/pull/1859
comment:4 by , 10 years ago
| Cc: | added |
|---|
comment:5 by , 10 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Patch against 382d324ccc0753962ec31ac23a4bde4fb2b9454e with text for NO_CSRF_COOKIE case