CSRF: Avoid creating a session on error page

WeblateOrg · Oct 12, 2020 · e773fe9 · e773fe9
1 parent 13eb13a
commit e773fe9
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/weblate/trans/views/error.py b/weblate/trans/views/error.py
@@ -48,7 +48,7 @@ def denied(request, exception=None):
 
 
 def csrf_failure(request, reason=""):
-    return render(
+    response = render(
         request,
         "403_csrf.html",
         {
@@ -58,6 +58,12 @@ def csrf_failure(request, reason=""):
         },
         status=403,
     )
+    # Avoid setting CSRF cookie on CSRF failure page, otherwise we end up creating
+    # new session even when user might already have one (because browser did not
+    # send the cookies with the CSRF request and Django doesn't see the session
+    # cookie).
+    response.csrf_cookie_set = True
+    return response
 
 
 def server_error(request):