From f5ff5be2c11613e611f53ba4d6b194675811cbad Mon Sep 17 00:00:00 2001
From: Markus Holtermann <info@markusholtermann.eu>
Date: Tue, 14 Feb 2017 23:35:42 +0100
Subject: [PATCH] [1.11.x] Fixed #27840 -- Fixed KeyError in
 PasswordResetConfirmView.form_valid().

When a user is already logged in when submitting the password and
password confirmation to reset a password, a KeyError occurred while
removing the reset session token from the session.

Refs #17209

Thanks Quentin Marlats for the report and Florian Apolloner and Tim
Graham for the review.
---
 django/contrib/auth/views.py   | 2 +-
 tests/auth_tests/test_views.py | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/django/contrib/auth/views.py b/django/contrib/auth/views.py
index cdb6dded93..ef2a106e6f 100644
--- a/django/contrib/auth/views.py
+++ b/django/contrib/auth/views.py
@@ -492,9 +492,9 @@ class PasswordResetConfirmView(PasswordContextMixin, FormView):
 
     def form_valid(self, form):
         user = form.save()
+        del self.request.session[INTERNAL_RESET_SESSION_TOKEN]
         if self.post_reset_login:
             auth_login(self.request, user)
-        del self.request.session[INTERNAL_RESET_SESSION_TOKEN]
         return super(PasswordResetConfirmView, self).form_valid(form)
 
     def get_context_data(self, **kwargs):
diff --git a/tests/auth_tests/test_views.py b/tests/auth_tests/test_views.py
index 5a6fc81610..07989a23b0 100644
--- a/tests/auth_tests/test_views.py
+++ b/tests/auth_tests/test_views.py
@@ -331,6 +331,14 @@ class PasswordResetTest(AuthViewsTestCase):
         self.assertRedirects(response, '/reset/done/', fetch_redirect_response=False)
         self.assertIn(SESSION_KEY, self.client.session)
 
+    def test_confirm_login_post_reset_already_logged_in(self):
+        url, path = self._test_confirm_start()
+        path = path.replace('/reset/', '/reset/post_reset_login/')
+        self.login()
+        response = self.client.post(path, {'new_password1': 'anewpassword', 'new_password2': 'anewpassword'})
+        self.assertRedirects(response, '/reset/done/', fetch_redirect_response=False)
+        self.assertIn(SESSION_KEY, self.client.session)
+
     def test_confirm_display_user_from_form(self):
         url, path = self._test_confirm_start()
         response = self.client.get(path)