Cookie validation raises BadSignature error after major Django upgrade #686
Comments
This was referenced Dec 15, 2023
|
I don't think the current behaviour is bug. The doc string of |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected Behavior
After a major Django version upgrade, existing two-factor authentication cookies should continue to be valid until their expiration.
Current Behavior
After a major Django version upgrade, existing two-factor authentication cookies are invalidated due to the change in the user's password hash. This happens because Django updates the password hash on login if the hash iteration count changes with the new version. Consequently, the hash used in the two-factor authentication cookies, which relies on the user's password hash, no longer matches, causing cookie validation to fail with a
BadSignatureexception when usingvalidate_remember_device_cookiedirectly. While views in django-two-factor-auth itself catch this exception, implementations usingvalidate_remember_device_cookiedirectly might not. In our case, the user is presented with an error and no way to continue.Possible Solution
One potential solution is to just return false on the cookie validation, as signature mismatches might not be due to malicious behavior, but also due to upgrades or even in general due to other changes in how the hashing is done.
Steps to Reproduce
validate_remember_device_cookie.Context
This issue leads to an inconvenient user experience, as in our case users are forced to clear their cookies after a Django upgrade. It affects the seamless usage of two-factor authentication in Django applications.
Your Environment
The text was updated successfully, but these errors were encountered: