Context Navigation

← Previous Ticket
Next Ticket →

#26201 closed Cleanup/optimization (fixed)

Document the consequences of rotating the CSRF token on login

Reported by:	Wim Feijen	Owned by:	Vaclav Ehrlich
Component:	Documentation	Version:	1.8
Severity:	Normal	Keywords:
Cc:	zachborboa@…	Triage Stage:	Accepted
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

Hello,

When debug is set to False, my customers can be confronted with a yellow error screen, saying:

Forbidden (403)

CSRF verification failed. Request aborted.

I believe this happens when some-one has two tabs open. He logs in and out in one tab. Then, in the other tab he fills in a form which now holds an invalid csrf-token.

I would like this error to be end-user friendly: meaning I'd rather show him a default 404-page which is defined by me and is worded in a way the end user understands. And I would like to receive an error message.

Thanks! Wim

Change History (11)

comment:1 by Wim Feijen, 10 years ago

Version:	1.9 → 1.8

comment:2 by Aymeric Augustin, 10 years ago

I think this is a false positive of the CSRF protection. It happens because the CSRF token is rotated on login.

It was likely discussed on the mailing list or in another ticket before but I don't remember the outcome.

comment:3 by Tim Graham, 10 years ago

Component:	Uncategorized → Documentation
Summary:	CSRF verification failed. Request aborted. screen is shown to end users → Document the consequences of rotating the CSRF token on login
Triage Stage:	Unreviewed → Accepted
Type:	Uncategorized → Cleanup/optimization

As for how to customize the CSRF error page, see the docs.

I'll accept this ticket to add an FAQ to the list started in #26165. In his security talk at Django Under the Hood 2015, Florian said rotating the token on login "is a security feature and won't change."

comment:4 by Wim Feijen, 10 years ago

Hi thanks Aymeric and Tim for your quick response and reference!

My additional proposal would be to change the wording of the error message to something an end-user would understand, for example:

Access forbidden (403 error)

Please reload the page to try again.

Your request was aborted due to a CSRF verification failure.

Please report to the site's administrator if the problem persists.

comment:5 by Zach Borboa, 10 years ago

Cc:	zachborboa@… added

comment:6 by Collin Anderson, 10 years ago

This happens to my users pretty frequently for whatever reason (possibly the back button is involved). Reloading the POST request doesn't fix it, because it will re-POST the old csrf token. The user needs to press back, reload (GET) the page, and then re-submit the form.

comment:7 by Vaclav Ehrlich, 10 years ago

Owner:	changed from nobody to Vaclav Ehrlich
Status:	new → assigned

comment:8 by Vaclav Ehrlich, 10 years ago

Has patch:	set

comment:9 by Tim Graham, 10 years ago

comment:10 by Tim Graham <timograham@…>, 10 years ago

Resolution:	→ fixed
Status:	assigned → closed

In 369fa47:

Fixed #26201 -- Documented the consequences of rotating the CSRF token on login.

comment:11 by Tim Graham <timograham@…>, 10 years ago

In 147f9a0d:

[1.9.x] Fixed #26201 -- Documented the consequences of rotating the CSRF token on login.

Backport of 369fa471f46cd517edf5fc82e4ef6138de3cff6 from master

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues