Preface: I taught myself how to use Django a couple of years ago, developed a webapp, handed the keys to my clients, and haven't had to do much with the app since then, nor have I developed with Django since then.
The Problem
A lot of users cannot log in successfully, and this appears to be a persistent problem for those it affects. However, I cannot for the life of me figure out what these users have in common. They use different operating systems, different browsers, access the site at different times of day/week/month. It's a reliable failure that doesn't seem to follow a pattern at all.
Specifics
The webapp is running on Windows, Django 1.0, and uses MySQL as the database. Sessions are stored to the database.
Eliminating Possible Causes
It's not a "wrong username/password" problem, unfortunately. That would be easy. No, the thousands of users of this webapp use the same username and password. (Not my preference or choice!) Furthermore, the failure-to-authenticate is not accompanied by a username/password error message.
Now, the site does work for most of the users. So I know that the basic authentication configuration is correct: the MIDDLEWARE_CLASSES and INSTALLED_APPS tuples contain the correct contrib lines. LOGIN_URL, LOGIN_REDIRECT_URL, and LOGOUT_URL are all set correctly. The URL dispatcher works, the views work, etc.
The fact that it is a consistent, ongoing failure for the affected users means that it's not a load problem.
For some affected users, using a different browser will fix the problem. For others it does not. And it's not necessarily a question of peculiar browser configuration, because a lot of the users who tried second browsers did so by downloading/installing a second browser for the first time, presumably using the default configuration. (Note that the users are largely not "power users".)
Reproducing the Error
The hardest part of all of this is that I have never had a failed login on any of my computers or browsers, so it's impossibly difficult to tackle the debugging process.
The problem is reproducible, though. The primary client's computer, when she is logged in to it and using IE 7 or 8, fails to log in, with the expected behaviour. The hitch: it is not reproducible when I am logged in to the same computer, regardless of the browser I use.
Why I'm Asking Here
I do most of my development in PHP/MySQL. When I'm looking for login problems I look for problems in the username/password, cookies, server-side sessions, browsers, etc. I write debugging code to dump the server/cookie variables to the screen, etc.
Unfortunately I don't know how to debug Django middleware. I don't even know what type of problem this could possibly be.
Finally
I have been wracking my brain for days. Several months ago I went through the same thing, also for days, before it was deemed a lower priority than some other projects I had. But now it's back.
I cannot for the life of me see a pattern. I'm hoping some of you have some suggestions!
EDITED
Here's some of the relevant code, by request.
in settings.py
MIDDLEWARE_CLASSES = (
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
)
LOGIN_URL = '/login/'
LOGOUT_URL = '/logout/'
LOGIN_REDIRECT_URL = '/'
in urls.py
(r'^login/', 'django.contrib.auth.views.login', {'template_name': 'login.html'}),
(r'^logout/', 'django.contrib.auth.views.logout', {'template_name': 'logout.html'}),
in login.html
{% block content %}
<h1>Please Log In</h1>
{% if form.errors %}<p>Your username and password didn't match. Please try again.</p>{% endif %}
<form method="post" action="/login/">
<p>{{ form.username.label_tag }} {{ form.username }}</p>
<p>{{ form.password.label_tag }} {{ form.password }}</p>
<p><input type="submit" value="login" /></p>
<input type="hidden" name="next" value="{{ next }}" />
</form>
{% endblock %}