diff --git a/django/contrib/auth/views.py b/django/contrib/auth/views.py index cdb6dded93..ef2a106e6f 100644 --- a/django/contrib/auth/views.py +++ b/django/contrib/auth/views.py @@ -492,9 +492,9 @@ class PasswordResetConfirmView(PasswordContextMixin, FormView): def form_valid(self, form): user = form.save() + del self.request.session[INTERNAL_RESET_SESSION_TOKEN] if self.post_reset_login: auth_login(self.request, user) - del self.request.session[INTERNAL_RESET_SESSION_TOKEN] return super(PasswordResetConfirmView, self).form_valid(form) def get_context_data(self, **kwargs): diff --git a/tests/auth_tests/test_views.py b/tests/auth_tests/test_views.py index 5a6fc81610..07989a23b0 100644 --- a/tests/auth_tests/test_views.py +++ b/tests/auth_tests/test_views.py @@ -331,6 +331,14 @@ class PasswordResetTest(AuthViewsTestCase): self.assertRedirects(response, '/reset/done/', fetch_redirect_response=False) self.assertIn(SESSION_KEY, self.client.session) + def test_confirm_login_post_reset_already_logged_in(self): + url, path = self._test_confirm_start() + path = path.replace('/reset/', '/reset/post_reset_login/') + self.login() + response = self.client.post(path, {'new_password1': 'anewpassword', 'new_password2': 'anewpassword'}) + self.assertRedirects(response, '/reset/done/', fetch_redirect_response=False) + self.assertIn(SESSION_KEY, self.client.session) + def test_confirm_display_user_from_form(self): url, path = self._test_confirm_start() response = self.client.get(path)