CSRF error when logging in to PyPI.org

[ronaldoussoren]

Describe the bug

I get a CSRF error when logging into https://pypi.org/ when I log in after using "Remember this device for 30 days" for the 2FA authentication with a security toking earlier. I do not get this error when logging in on a system that I didn't use the 'remember' feature earlier.

The full error page:

400 Bad CSRF Token

Access is denied. This server can not verify that your cross-site request forgery token belongs to your login session. Either you supplied the wrong cross-site request forgery token or your session no longer exists. This may be due to session timeout or because browser is not supplying the credentials required, as can happen when the browser has cookies turned off.

check_csrf_token(): Invalid token

When I reopen the page I'm actually logged on.

This is on a macOS system using Safari as the browser.

Expected behavior Logging in just works

To Reproduce

• On a system running macOS and using Safari log in to PyPI and select 'Remember this device for 30 days' when verifying the security token
• Log off again
• Log on again
  • Get a CSRF error when getting to the 2FA verification step

My Platform

• Browser: Safari 18.4 (20621.1.15.11.10)
• OS: macOS 15.4 (24E248)

Additional context

[di]

Confirming that this is a valid bug.