Opened 10 years ago
Closed 10 years ago
#21704 closed Bug (worksforme)
Csrf verification fails for unlogged users with multiple tabs opened
| Reported by: | Owned by: | Mimino | |
|---|---|---|---|
| Component: | CSRF | Version: | 1.6 |
| Severity: | Normal | Keywords: | csrf |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Here is the scenario (we are using 2 tabs, A and B):
- (in tab A): As an unlogged user, open the login page. Csrf token is set to some value.
- (in tab B): Don't login into the site yet, but open the login page in a new tab. Csrf token is now the same in both tabs.
- (in tab B): Login into the site. Csrf token is set for a logged-in user to some new value.
- (in tab B): Logout from the site. Csrf token is rotated and set to a new value for unlogged user.
- (in tab A): Try to login into the site. Bam - 403! The problem is, the login form still contained the old csrf token.
Is this the intended behavior of csrf rotation? If yes, how to handle it in user-friendly manner?
Note:
See TracTickets
for help on using tickets.
I think this is the intended behaviour. In order to retain the security of rotating the CSRF token on logout (which is otherwise the source of some nasty possible XSS exploits), and that we bake the CSRF token in to the page on render, the two unfortunately will clash in this use case. The best thing to do for user friendliness is the customise your 403.html to display a helpful message, and/or link to the login page again.