[Django] #21322: Cookie-averse users get CSRF failure without a clear explanation
Django
------------------------------+--------------------
Reporter: olau | Owner: nobody
Type: Bug | Status: new
Component: contrib.csrf | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 1
Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------
This easiest way to see this it to start a new project, set DEBUG=False,
start the dev server, disable cookies in the browser and go to /admin/ and
try to login. The result is an inexplicable (to an end-user) "403 CSRF
verification failed".
The CSRF view already gives a relatively friendly (although not
translated) explanation if Referer headers are turned off. I suggest
adding one for a non-existing cookie too, patch attached against latest
trunk.
I'm attaching a little test project in a tarball.
I think this is an old problem, the patch here was originally against 1.2
(credit goes to Henrik Levkowetz).
--
Ticket URL: <https://code.djangoproject.com/ticket/21322>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: olau | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.csrf | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by claudep):
* needs_better_patch: => 0
* needs_docs: => 0
* type: Bug => Cleanup/optimization
* needs_tests: => 0
* stage: Unreviewed => Accepted
Comment:
I created #21324 to track the non-translated issue.
--
Ticket URL: <https://code.djangoproject.com/ticket/21322#comment:1>
Django
Reporter: olau | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.csrf | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by claudep):
* needs_better_patch: 0 => 1
Comment:
Now that #21324 has been fixed, the patch needs to accommodate for content
translation.
--
Ticket URL: <https://code.djangoproject.com/ticket/21322#comment:2>
Django
Reporter: olau | Owner: bouke
Type: Cleanup/optimization | Status: assigned
Component: contrib.csrf | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by bouke):
* status: new => assigned
* needs_better_patch: 1 => 0
* owner: nobody => bouke
Comment:
I've rebased the patch and added tests that check for the various error
messages: https://github.com/django/django/pull/1859
--
Ticket URL: <https://code.djangoproject.com/ticket/21322#comment:3>
Django
Reporter: olau | Owner: bouke
Type: Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Changes (by bouke):
* cc: bouke (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/21322#comment:4>
Django
Reporter: olau | Owner: bouke
Component: contrib.csrf | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Changes (by Claude Paroz <claude@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"9b95fa7777c4b484f8053b87f48d65c853945f19"]:
{{{
#!CommitTicketReference repository=""
revision="9b95fa7777c4b484f8053b87f48d65c853945f19"
Fixed #21322 -- Error message when CSRF cookie is missing
Thanks to Henrik Levkowetz and olau for their reports and initial patches.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/21322#comment:5>