Opened 2 years ago
Last modified 2 years ago
#33522 closed New feature
Unexpected behaviour when logging in — at Version 1
| Reported by: | Michael | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | 4.0 |
| Severity: | Normal | Keywords: | authentication log in CSRF token |
| Cc: | Florian Apolloner, Shai Berger | Triage Stage: | Unreviewed |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
Say a user opens two tabs to the same site, both show the login page.
The user logs in on Tab A, does some things, after a while changes to Tab B, sees the login page, and instictively clicks login (their details pre-populated due to auto fill). They will then get a surprising CSRF error.
I thing this is because when they logged in on Tab A, it deleted the anonymous session, and replaced it with a new session, which means the CSRF token from Tab B fails.
Would it not be better to not delete the anomyous session when one logs in, or upgrade the session (instead of deleting it)?
Another idea is making the login view csrf_exempt, then we won't have these csrf errors.
Note:
See TracTickets
for help on using tickets.