#19327: Admin doesn't handle double login attempts
----------------------------+----------------------------------------------
Reporter: KJ | Owner: KJ
Type: Bug | Status: new
Component: | Version: master
contrib.admin | Keywords: sensitive_post_parameters, login
Severity: Normal | Has patch: 0
Triage Stage: Unreviewed | UI/UX: 0
Easy pickings: 1 |
----------------------------+----------------------------------------------
When sending login form on admin site when user is already logged in,
admin view gets called as if no login attempt was being made. Login form
POST data can then easily cause some of the admin views to break.
Furthermore, sensitive_post_parameters decorator isn't applied because
login view doesn't get called, so if an exception is raised, a traceback
is emailed with username and password in plain text.
A real life example would be when user opens 2 tabs with login form, logs
in on one of them and then forgets about it and tries to log in on the
second.
--
Ticket URL: <https://code.djangoproject.com/ticket/19327>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit https://groups.google.com/groups/opt_out.
