Tuesday, January 29, 2019

PasswordResetConfirmView doesn't work through redirect in newest Safari

Hi all,

Recently we've upgraded a project from Django 2.x to 2.1, which meant upgrading our old reset password functions based views to the newer class based models. However, since the change we're experiencing issues with PasswordResetConfirmView.

What we experiencing, in short, is that when we send our mails through Mandrill (the SMTP service from Mailchimp), and the user presses the reset password link, they get an error saying the link is invalid/expired. This happens only if the customer goes through the Mandrill redirect link AND uses the newest stable version of Safari shipping with macOS Mojave or the newest iOS versions.

I've been digging through the code, and it seems that the session framework/cookie framework simply isn't working when going through that particular redirect link. When the user lands on the first page in the confirmation view (which includes the full token), they get "None" as their sessionid. Just before the redirect (where the token is put into session, and replaced with "set password"), they get an actual sessionid - but when they're redirected to the "set-password" page, they now have a new sessionid, which of course means PasswordResetConfirmView cannot find their token in session storage, leading to the error message.

While I realise this might not be an issue with Django, and rather the way Mandrill deals with their redirection of links/some weird inner-workings in Safari, I'm wondering how other people have dealt with this issue.

Any help appreciated :)

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/6e017023-1fbd-4f22-8a03-53499c05497b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment