Opened 16 years ago

Closed 16 years ago

Last modified 13 years ago

#7364 closed (fixed)

Login view is cached when caching middleware is turned on

Reported by: clong@… Owned by: nobody
Component: Contrib apps Version: dev
Severity: Keywords: auth, login, cache
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

This causes a problem, because the login view expects a cookie to be set when a user visits the login page. If it's not set it will fail the login, but will set the cookie.

Quick steps:

  1. Make a request to the login page without any GET or POST parameters.
  2. Web server returns the cached page. (Note: this doesn’t set the cookie because no Python code has been run, the page returned is static)
  3. The user enters in the login information and submits the information. This is sent to the server as a POST.
  4. The server, because of the POST, now runs the login view. This fails because there was no cookie previously set, but it does set the cookie that should have been previously set.
  5. The error message shown to the user is as if it was a failed attempt. If the user reenters the information, the login will now work as the cookie is now set.

I attached a diff that uses the 'never_cache' decorator to fix this.

Attachments (4)

auth-caching.diff (603 bytes ) - added by clong@… 16 years ago.
admin_login_cache.diff (1.4 KB ) - added by Tomáš Kopeček 16 years ago.
admin_login_cache-8161.diff (1.4 KB ) - added by Joost Cassee 16 years ago.
Updated patch to revision 8161
7364-admin_login_cache-8345.diff (1.7 KB ) - added by Joost Cassee 16 years ago.

Download all attachments as: .zip

Change History (14)

by clong@…, 16 years ago

Attachment: auth-caching.diff added

by Tomáš Kopeček, 16 years ago

Attachment: admin_login_cache.diff added

comment:1 by Tomáš Kopeček, 16 years ago

Previous patch corrected general behaviour of login page. But this one was not the one used in contrib.admin.

by Joost Cassee, 16 years ago

Attachment: admin_login_cache-8161.diff added

Updated patch to revision 8161

comment:2 by Eric Holscher, 16 years ago

milestone: 1.0
Triage Stage: UnreviewedAccepted

comment:3 by Joost Cassee, 16 years ago

Diff updated to revision 8345. Also changed to older decorators syntax for compatibility with Python 2.3.

by Joost Cassee, 16 years ago

Attachment: 7364-admin_login_cache-8345.diff added

comment:4 by Julian Bez, 16 years ago

What about that: r7692?

comment:5 by Joost Cassee, 16 years ago

Sorry, julianb, is this comment directed at the correct ticket? I'm not sure what the form has to do with the view being cached.

comment:6 by Julian Bez, 16 years ago

This ticket #7364: "causes a problem, because the login view expects a cookie to be set when a user visits the login page"

Changeset [7692]: "login view no longer assumes that set_test_cookie has been called"

comment:7 by Joost Cassee, 16 years ago

You are right, I guess. I thought it would be a bad idea to cache the login page in any case, as you may want to display a different text if the user is already logged in (the default template does not). The cookie thing was not my main concern.

comment:8 by Julian Bez, 16 years ago

Okay, seems reasonable, sorry for thinking mainly about cookies ;)

I also see that there are some tickets open which aim to change how and when (test-)cookies are set. It's still important to see whether caching affects any new solution.

comment:9 by Gary Wilson, 16 years ago

Resolution: fixed
Status: newclosed

(In [8383]) Fixed #7364 -- Never cache the contrib.auth login view.

comment:10 by Jacob, 13 years ago

milestone: 1.0

Milestone 1.0 deleted

Note: See TracTickets for help on using tickets.
Back to Top