Session settings with Django's authentication system: possible improvements in documentation and checks

Hi there,

In one of my Django projects I’m using the provided authentication. I recently had a lot of troubles with the password reset link. The generated link was working fine in the unit tests and when copy-and-paste-ing it from the email; yet clicking the link from the email message resulted in opening the password reset view with the error of invalid token.

It took me a while to find the root cause of this issue: the SESSION_COOKIE_SAMESITE setting was set to Strict, yet in order to have the password reset link properly working it must be Lax (or None).

I think this should be made more clear in the documentation ( and possibly a Django check ( should be added to alert a wrong setting when the authentication links are included in a site.

Should I open a bug report for this?


Yes please do open a trac ticket. I’m in favour of more system checks to catch issues like this.

1 Like