#21704 closed Bug (worksforme)

Csrf verification fails for unlogged users with multiple tabs opened

Reported by: mimino.coder@… Owned by: Mimino
Component: CSRF Version: 1.6
Severity: Normal Keywords: csrf
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


Here is the scenario (we are using 2 tabs, A and B):

  1. (in tab A): As an unlogged user, open the login page. Csrf token is set to some value.
  2. (in tab B): Don't login into the site yet, but open the login page in a new tab. Csrf token is now the same in both tabs.
  3. (in tab B): Login into the site. Csrf token is set for a logged-in user to some new value.
  4. (in tab B): Logout from the site. Csrf token is rotated and set to a new value for unlogged user.
  5. (in tab A): Try to login into the site. Bam - 403! The problem is, the login form still contained the old csrf token.

Is this the intended behavior of csrf rotation? If yes, how to handle it in user-friendly manner?

Change History (1)

comment:1 Changed 20 months ago by mjtamlyn

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to worksforme
  • Status changed from new to closed

I think this is the intended behaviour. In order to retain the security of rotating the CSRF token on logout (which is otherwise the source of some nasty possible XSS exploits), and that we bake the CSRF token in to the page on render, the two unfortunately will clash in this use case. The best thing to do for user friendliness is the customise your 403.html to display a helpful message, and/or link to the login page again.

Note: See TracTickets for help on using tickets.
Back to Top