#31129 closed Cleanup/optimization (invalid)
Password reset requires proper SESSION_COOKIE_SAMESITE value.
| Reported by: | Nicholas Fiorentini | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
A misconfiguration in Django settings could cause the password reset link to stop working properly. This is not well documented and it lacks Django checks.
Steps to reproduce:
- activate Django's authentication with its password reset features;
- set
SESSION_COOKIE_SAMESITEtoStrict; - initiate a password reset and open the link received in the email (by clicking on it);
- the password reset page opens with the "token already used" error. It should open the password reset form instead.
Root cause
Password reset must have SESSION_COOKIE_SAMESITE set to Lax or None in order to have the link working when clicked.
Please notice that copying and paste the link works. Also, unit testing the password reset flow will likely not catch this issue.
Proposed solution
The documentation (https://docs.djangoproject.com/en/3.0/topics/auth/default/) should detail this requirement.
Furthermore, if technically feasible, a Django check (https://docs.djangoproject.com/en/3.0/ref/django-admin/#check) should be added to alert a wrong setting when the authentication links are included in a site with wrong SESSION_COOKIE_SAMESITE.
Change History (4)
comment:1 by , 5 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
| Summary: | Password reset requires proper SESSION_COOKIE_SAMESITE setting: documentation and additional checks → Password reset requires proper SESSION_COOKIE_SAMESITE value. |
| Version: | 3.0 → master |
comment:2 by , 5 years ago
comment:3 by , 5 years ago
Adam, Safari issue is related with incorrect handling of Lax. This report is about documenting that you cannot use Strict in the SameSite with the password reset mechanism, which is not true in general, as far as I'm concerned.
Thanks for this ticket, however if links don't work when you click them and in the same time work when you copy and paste them, then probably your email provider uses click tracking and wraps password reset links. In such cases you need to set
SESSION_COOKIE_SAMESITEtoLax, but it's not a requirement in other cases, I don't think we should document this and we definitely should not add any check for that.Closing per TicketClosingReasons/UseSupportChannels.