#7364 closed (fixed)
Login view is cached when caching middleware is turned on
Reported by: | Owned by: | nobody | |
---|---|---|---|
Component: | Contrib apps | Version: | dev |
Severity: | Keywords: | auth, login, cache | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
This causes a problem, because the login view expects a cookie to be set when a user visits the login page. If it's not set it will fail the login, but will set the cookie.
Quick steps:
- Make a request to the login page without any GET or POST parameters.
- Web server returns the cached page. (Note: this doesn’t set the cookie because no Python code has been run, the page returned is static)
- The user enters in the login information and submits the information. This is sent to the server as a POST.
- The server, because of the POST, now runs the login view. This fails because there was no cookie previously set, but it does set the cookie that should have been previously set.
- The error message shown to the user is as if it was a failed attempt. If the user reenters the information, the login will now work as the cookie is now set.
I attached a diff that uses the 'never_cache' decorator to fix this.
Attachments (4)
Change History (14)
by , 16 years ago
Attachment: | auth-caching.diff added |
---|
by , 16 years ago
Attachment: | admin_login_cache.diff added |
---|
comment:1 by , 16 years ago
comment:2 by , 16 years ago
milestone: | → 1.0 |
---|---|
Triage Stage: | Unreviewed → Accepted |
comment:3 by , 16 years ago
Diff updated to revision 8345. Also changed to older decorators syntax for compatibility with Python 2.3.
by , 16 years ago
Attachment: | 7364-admin_login_cache-8345.diff added |
---|
comment:5 by , 16 years ago
Sorry, julianb, is this comment directed at the correct ticket? I'm not sure what the form has to do with the view being cached.
comment:6 by , 16 years ago
comment:7 by , 16 years ago
You are right, I guess. I thought it would be a bad idea to cache the login page in any case, as you may want to display a different text if the user is already logged in (the default template does not). The cookie thing was not my main concern.
comment:8 by , 16 years ago
Okay, seems reasonable, sorry for thinking mainly about cookies ;)
I also see that there are some tickets open which aim to change how and when (test-)cookies are set. It's still important to see whether caching affects any new solution.
comment:9 by , 16 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Previous patch corrected general behaviour of login page. But this one was not the one used in contrib.admin.