Opened 10 years ago
Last modified 8 years ago
#1006 new defect
CSRF cookie not set if visiting a media page directly
| Reported by: | Peter Kuma | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | programming | Keywords: | |
| Cc: | Parent Tickets: |
Description
When visiting a media page via a direct link (i.e. without going through the main page), the CSRF cookie is not set for the root path of the domain. Consequently, when a user tries to submit a comment, it fails with 403 Forbidden:
403 Forbidden CSRF cookie not present. This is most likely the result of a cookie blocker or somesuch.<br/>Make sure to permit the settings of cookies for this domain
The reason for this is that the CSRF meddleware sets cookie path to request.environ['SCRIPT_NAME'], and the cookie is not sent when accessing the comment add page.
The issue can be fixed by introducing a new setting csrf_cookie_path, set by default to '/' and using it instead of request.environ['SCRIPT_NAME']. Django does something similar.
Attached is a patch.
Attachments (1)
Change History (3)
by , 10 years ago
| Attachment: | csrf-path-fix.diff added |
|---|
comment:1 by , 10 years ago
comment:2 by , 8 years ago
Clear browser history (Ctrl+Alt+Del).
It's Shift-Ctrl-Del ;-)
I've not been able to reproduce the problem because after login I'm redirected to the user home page and when I go back to the media page the comment works fine.
How to reproduce:
You should get a 403 Forbidden page.