Opened 16 years ago
Closed 16 years ago
#8061 closed (invalid)
Allow login view to check test cookie
| Reported by: | Joost Cassee | Owned by: | Joost Cassee |
|---|---|---|---|
| Component: | contrib.sessions | Version: | dev |
| Severity: | Keywords: | ||
| Cc: | joost@… | Triage Stage: | Design decision needed |
| Has patch: | yes | Needs documentation: | yes |
| Needs tests: | yes | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The solution to ticket #3393, change [7692], removed the check for the test cookie on the login form. This was because that check breaks POSTs from login forms in views that don't call session.set_test_cookie(). On the other hand it break useful functionality (as mentioned in the ticket log). The attached patch adds a keyword parameter to the login ('check_test_cookie', default False) that if True will cause the request object to be passed to the AuthenticationForm.
The problem of having to call session.set_test_cookie() can by alleviated by always setting the test cookie unless the session cookie is present. This would not have to be a large overhead, as in the common case the session cookie is already set. (If that part of the ticket is accepted, then check_test_cookie could be made True by default or change [7692] be reverted.)
Two patches are attached to this ticket:
- login-view.diff adds the extra parameter to the login view.
- session-middleware.diff adds the test cookie to the response unless the session cookie was received
These patches are still pretty rough, documentation and tests would have to be written.
Attachments (5)
Change History (10)
by , 16 years ago
| Attachment: | login-view.diff added |
|---|
by , 16 years ago
| Attachment: | session-middleware.diff added |
|---|
comment:1 by , 16 years ago
| Cc: | added |
|---|---|
| Has patch: | set |
| Needs documentation: | set |
| Needs tests: | set |
| Owner: | set to |
| Status: | new → assigned |
comment:2 by , 16 years ago
| Patch needs improvement: | set |
|---|
by , 16 years ago
| Attachment: | check-session-cookie.diff added |
|---|
comment:3 by , 16 years ago
| Component: | Authentication → django.contrib.sessions |
|---|---|
| Patch needs improvement: | unset |
The new version of the sessions patch, temporary-session-key.diff fixes the problems mentioned above. It always sets the session cookie, but leaves the key empty unless the session was modified. Whether the session cookie has been received back (and consequently whether cookies work) can be checked using session.accepts_cookies(). This allows the AuthenticationForm to check for cookies at any time.
Changing component to django.contrib.sessions to invite review on this patch.
I also updated the login patch to temporary-session-key-login.diff.
by , 16 years ago
| Attachment: | temporary-session-key-login.diff added |
|---|
comment:4 by , 16 years ago
| Triage Stage: | Unreviewed → Design decision needed |
|---|
comment:5 by , 16 years ago
| Resolution: | → invalid |
|---|---|
| Status: | assigned → closed |
I have split off the session part of this ticket into #8122. If it is accepted I will create a new ticket for the AuthorizationForm change. Marking this ticket invalid.
The session-middleware.diff patch is incorrect. It does not handle all situations.
I just had another idea. Although
set_test_cookie()may not have been called, the session cookie must have been set. The new patch check-session-cookie.diff changes the AuthenticationForm to check for the presence of the session cookie in the request. There are three cases where this logic fails:check_cookieparameter to the login view (like in login-view.diff) so that users can disable the check.test_cookie_worked()method will catch this case. This is such a rare case that I think it's unimportant.For the session cookie to always be present, it must have been modified at least once. The new patch automatically saves the session if it is new. This can be a nuisance because anonymous users without cookies will continuously create new sessions. That may be a big problem for large sites. I guess just using login-view.diff would be safest. Checking for cookies is trickier than I would have imagined!