id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
31129	Password reset requires proper SESSION_COOKIE_SAMESITE value.	Nicholas Fiorentini	nobody	"A misconfiguration in Django settings could cause the password reset link to stop working properly. This is not well documented and it lacks Django checks.

**Steps to reproduce:**

 1. activate Django's authentication with its password reset features;
 2. set `SESSION_COOKIE_SAMESITE` to `Strict`;
 3. initiate a password reset and open the link received in the email (by clicking on it);
 4. the password reset page opens with the ""token already used"" error. It should open the password reset form instead.


** Root cause **

Password reset must have `SESSION_COOKIE_SAMESITE` set to `Lax` or `None` in order to have the link working when clicked.

Please notice that copying and paste the link works. Also, unit testing the password reset flow will likely not catch this issue.


**Proposed solution**

The documentation (https://docs.djangoproject.com/en/3.0/topics/auth/default/) should detail this requirement.

Furthermore, if technically feasible, a Django check (https://docs.djangoproject.com/en/3.0/ref/django-admin/#check) should be added to alert a wrong setting when the authentication links are included in a site with wrong `SESSION_COOKIE_SAMESITE`.
"	Cleanup/optimization	closed	contrib.auth	dev	Normal	invalid			Unreviewed	0	0	0	0	0	0