id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
24786	CSRF False Positive when Logging in From Other Screen Simultaneously	Klaas van Schelven	nobody	"Consider the following scenario:

* Go to a login page (e.g. standard contrib.auth stuff)
* Open another tab and go to the same page
* Log in from the first page
* Log in from the second page

You will now be presented with a CSRF error. I would consider this a false positive.

In my understanding CSRF protects against data which is crafted on other domains (controlled by the attacker) and are then posted to the server.

In other words, it should protect against cases in which data is POSTed to the server which was not first presented to the user by the server. In the scenario above, the data _was_ first presented by the server to the user. Hence this is a False Positive.

A similar scenario exists if the first login is followed by a logout. In this case I can make an educated guess towards the reason (namely: the full session is likely to be flushed on logout, causing any CSRF cookies to be deleted). However, I would say it's equally wrong.

I am not a security researcher - correct me if I'm wrong in all/any of the above."	Uncategorized	closed	Uncategorized	1.7	Normal	duplicate			Unreviewed	0	0	0	0	0	0