Login view is cached when caching middleware is turned on
|Reported by:||clong@…||Owned by:||nobody|
|Severity:||Keywords:||auth, login, cache|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
This causes a problem, because the login view expects a cookie to be set when a user visits the login page. If it's not set it will fail the login, but will set the cookie.
- Make a request to the login page without any GET or POST parameters.
- Web server returns the cached page. (Note: this doesn’t set the cookie because no Python code has been run, the page returned is static)
- The user enters in the login information and submits the information. This is sent to the server as a POST.
- The server, because of the POST, now runs the login view. This fails because there was no cookie previously set, but it does set the cookie that should have been previously set.
- The error message shown to the user is as if it was a failed attempt. If the user reenters the information, the login will now work as the cookie is now set.
I attached a diff that uses the 'never_cache' decorator to fix this.
Change History (14)
Changed 7 years ago by clong@…
Changed 7 years ago by permon
comment:1 Changed 7 years ago by permon
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
Changed 7 years ago by jcassee
comment:2 Changed 7 years ago by ericholscher
- milestone set to 1.0
- Triage Stage changed from Unreviewed to Accepted