CSRF error when logging in to PyPI.org #17991
Description
Describe the bug
I get a CSRF error when logging into https://pypi.org/ when I log in after using "Remember this device for 30 days" for the 2FA authentication with a security toking earlier. I do not get this error when logging in on a system that I didn't use the 'remember' feature earlier.
The full error page:
400 Bad CSRF Token
Access is denied. This server can not verify that your cross-site request forgery token belongs to your login session. Either you supplied the wrong cross-site request forgery token or your session no longer exists. This may be due to session timeout or because browser is not supplying the credentials required, as can happen when the browser has cookies turned off.
check_csrf_token(): Invalid token
When I reopen the page I'm actually logged on.
This is on a macOS system using Safari as the browser.
Expected behavior
Logging in just works
To Reproduce
- On a system running macOS and using Safari log in to PyPI and select 'Remember this device for 30 days' when verifying the security token
- Log off again
- Log on again
- Get a CSRF error when getting to the 2FA verification step
My Platform
- Browser: Safari 18.4 (20621.1.15.11.10)
- OS: macOS 15.4 (24E248)
Additional context