id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 31129 Password reset requires proper SESSION_COOKIE_SAMESITE value. Nicholas Fiorentini nobody "A misconfiguration in Django settings could cause the password reset link to stop working properly. This is not well documented and it lacks Django checks. **Steps to reproduce:** 1. activate Django's authentication with its password reset features; 2. set `SESSION_COOKIE_SAMESITE` to `Strict`; 3. initiate a password reset and open the link received in the email (by clicking on it); 4. the password reset page opens with the ""token already used"" error. It should open the password reset form instead. ** Root cause ** Password reset must have `SESSION_COOKIE_SAMESITE` set to `Lax` or `None` in order to have the link working when clicked. Please notice that copying and paste the link works. Also, unit testing the password reset flow will likely not catch this issue. **Proposed solution** The documentation (https://docs.djangoproject.com/en/3.0/topics/auth/default/) should detail this requirement. Furthermore, if technically feasible, a Django check (https://docs.djangoproject.com/en/3.0/ref/django-admin/#check) should be added to alert a wrong setting when the authentication links are included in a site with wrong `SESSION_COOKIE_SAMESITE`. " Cleanup/optimization closed contrib.auth dev Normal invalid Unreviewed 0 0 0 0 0 0