Opened 4 years ago
Last modified 4 years ago
#33522 closed New feature
Unexpected behaviour when logging in — at Initial Version
| Reported by: | Michael | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | 4.0 |
| Severity: | Normal | Keywords: | authentication log in CSRF token |
| Cc: | Florian Apolloner, Shai Berger | Triage Stage: | Unreviewed |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Say a user opens two tabs to the same site, both show the login page.
The user logs in on Tab A, does some things, after a while changes to Tab B, sees the login page, and instictively clicks login (their details pre-populated due to auto fill). They will then get a surprising CSRF error.
I thing this is because when they logged in on Tab A, it deleted the anonymous session, and replaced it with a new session, which means the CSRF token from Tab B fails.
Would it not be better to not delete the anomyous session when one logs in, or upgrade the session (instead of deleting it)?
Note:
See TracTickets
for help on using tickets.