Allow login view to check test cookie
|Reported by:||Joost Cassee||Owned by:||Joost Cassee|
|Cc:||joost@…||Triage Stage:||Design decision needed|
|Has patch:||yes||Needs documentation:||yes|
|Needs tests:||yes||Patch needs improvement:||no|
The solution to ticket #3393, change , removed the check for the test cookie on the login form. This was because that check breaks POSTs from login forms in views that don't call session.set_test_cookie(). On the other hand it break useful functionality (as mentioned in the ticket log). The attached patch adds a keyword parameter to the login ('check_test_cookie', default False) that if True will cause the request object to be passed to the AuthenticationForm.
The problem of having to call session.set_test_cookie() can by alleviated by always setting the test cookie unless the session cookie is present. This would not have to be a large overhead, as in the common case the session cookie is already set. (If that part of the ticket is accepted, then check_test_cookie could be made True by default or change  be reverted.)
Two patches are attached to this ticket:
- login-view.diff adds the extra parameter to the login view.
- session-middleware.diff adds the test cookie to the response unless the session cookie was received
These patches are still pretty rough, documentation and tests would have to be written.
Change History (10)
comment:1 Changed 9 years ago by
|Owner:||set to Joost Cassee|
|Status:||new → assigned|
comment:3 Changed 9 years ago by
|Component:||Authentication → django.contrib.sessions|
|Patch needs improvement:||unset|