Csrf verification fails for unlogged users with multiple tabs opened
|Reported by:||mimino.coder@…||Owned by:||Mimino|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Here is the scenario (we are using 2 tabs, A and B):
- (in tab A): As an unlogged user, open the login page. Csrf token is set to some value.
- (in tab B): Don't login into the site yet, but open the login page in a new tab. Csrf token is now the same in both tabs.
- (in tab B): Login into the site. Csrf token is set for a logged-in user to some new value.
- (in tab B): Logout from the site. Csrf token is rotated and set to a new value for unlogged user.
- (in tab A): Try to login into the site. Bam - 403! The problem is, the login form still contained the old csrf token.
Is this the intended behavior of csrf rotation? If yes, how to handle it in user-friendly manner?