Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#31129 closed Cleanup/optimization (invalid)

Password reset requires proper SESSION_COOKIE_SAMESITE value.

Reported by: Nicholas Fiorentini Owned by: nobody
Component: contrib.auth Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

A misconfiguration in Django settings could cause the password reset link to stop working properly. This is not well documented and it lacks Django checks.

Steps to reproduce:

  1. activate Django's authentication with its password reset features;
  2. set SESSION_COOKIE_SAMESITE to Strict;
  3. initiate a password reset and open the link received in the email (by clicking on it);
  4. the password reset page opens with the "token already used" error. It should open the password reset form instead.

Root cause

Password reset must have SESSION_COOKIE_SAMESITE set to Lax or None in order to have the link working when clicked.

Please notice that copying and paste the link works. Also, unit testing the password reset flow will likely not catch this issue.

Proposed solution

The documentation (https://docs.djangoproject.com/en/3.0/topics/auth/default/) should detail this requirement.

Furthermore, if technically feasible, a Django check (https://docs.djangoproject.com/en/3.0/ref/django-admin/#check) should be added to alert a wrong setting when the authentication links are included in a site with wrong SESSION_COOKIE_SAMESITE.

Change History (4)

comment:1 Changed 2 years ago by Mariusz Felisiak

Resolution: invalid
Status: newclosed
Summary: Password reset requires proper SESSION_COOKIE_SAMESITE setting: documentation and additional checksPassword reset requires proper SESSION_COOKIE_SAMESITE value.
Version: 3.0master

Please notice that copying and paste the link works.

Thanks for this ticket, however if links don't work when you click them and in the same time work when you copy and paste them, then probably your email provider uses click tracking and wraps password reset links. In such cases you need to set SESSION_COOKIE_SAMESITE to Lax, but it's not a requirement in other cases, I don't think we should document this and we definitely should not add any check for that.

Closing per TicketClosingReasons/UseSupportChannels.

comment:2 Changed 2 years ago by Adam Johnson

A similar issue was previously reported as a bug in certain versions of Safari in #29975 / #30250. Are you using Safari or similar?

comment:3 Changed 2 years ago by Mariusz Felisiak

Adam, Safari issue is related with incorrect handling of Lax. This report is about documenting that you cannot use Strict in the SameSite with the password reset mechanism, which is not true in general, as far as I'm concerned.

comment:4 Changed 2 years ago by Adam Johnson

You're right @felixxm

Note: See TracTickets for help on using tickets.
Back to Top