From 9d2c0a0ae6ce931699daa87735d5b8b2afaa20f9 Mon Sep 17 00:00:00 2001 From: Preston Holmes Date: Sat, 23 Feb 2013 14:19:01 -0800 Subject: [PATCH] Removed superfluous cookie check from auth login. This is ensured through the CSRF protection of the view --- django/contrib/admin/forms.py | 1 - django/contrib/auth/forms.py | 9 ++++----- django/contrib/auth/views.py | 5 ----- docs/internals/deprecation.txt | 6 ++++++ 4 files changed, 10 insertions(+), 11 deletions(-) diff --git a/django/contrib/admin/forms.py b/django/contrib/admin/forms.py index 1fabdce245..38c445f71a 100644 --- a/django/contrib/admin/forms.py +++ b/django/contrib/admin/forms.py @@ -33,5 +33,4 @@ class AdminAuthenticationForm(AuthenticationForm): raise forms.ValidationError(message % { 'username': self.username_field.verbose_name }) - self.check_for_test_cookie() return self.cleaned_data diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py index c28971b94d..f3ad655c65 100644 --- a/django/contrib/auth/forms.py +++ b/django/contrib/auth/forms.py @@ -1,5 +1,7 @@ from __future__ import unicode_literals +import warnings + from django import forms from django.forms.util import flatatt from django.template import loader @@ -153,8 +155,6 @@ class AuthenticationForm(forms.Form): error_messages = { 'invalid_login': _("Please enter a correct %(username)s and password. " "Note that both fields may be case-sensitive."), - 'no_cookies': _("Your Web browser doesn't appear to have cookies " - "enabled. Cookies are required for logging in."), 'inactive': _("This account is inactive."), } @@ -189,12 +189,11 @@ class AuthenticationForm(forms.Form): }) elif not self.user_cache.is_active: raise forms.ValidationError(self.error_messages['inactive']) - self.check_for_test_cookie() return self.cleaned_data def check_for_test_cookie(self): - if self.request and not self.request.session.test_cookie_worked(): - raise forms.ValidationError(self.error_messages['no_cookies']) + warnings.warn("check_for_test_cookie is deprecated; ensure your login " + "view is CSRF-protected.", DeprecationWarning) def get_user_id(self): if self.user_cache: diff --git a/django/contrib/auth/views.py b/django/contrib/auth/views.py index 9d1534651b..c9f53f1956 100644 --- a/django/contrib/auth/views.py +++ b/django/contrib/auth/views.py @@ -45,15 +45,10 @@ def login(request, template_name='registration/login.html', # Okay, security check complete. Log the user in. auth_login(request, form.get_user()) - if request.session.test_cookie_worked(): - request.session.delete_test_cookie() - return HttpResponseRedirect(redirect_to) else: form = authentication_form(request) - request.session.set_test_cookie() - current_site = get_current_site(request) context = { diff --git a/docs/internals/deprecation.txt b/docs/internals/deprecation.txt index ef9fd31d15..f1ae1338df 100644 --- a/docs/internals/deprecation.txt +++ b/docs/internals/deprecation.txt @@ -320,6 +320,12 @@ these changes. deprecated. Use the :class:`warnings.catch_warnings` context manager available starting with Python 2.6 instead. +* The undocumented ``check_for_test_cookie`` method in + :class:`~django.contrib.auth.forms.AuthenticationForm` will be removed + following an accelerated deprecation. Users subclassing this form should + remove calls to this method, and instead ensure that their auth related views + are CSRF protected, which ensures that cookies are enabled. + 1.8 ---