#26201 closed Cleanup/optimization (fixed)
Document the consequences of rotating the CSRF token on login
| Reported by: | Wim Feijen | Owned by: | Vaclav Ehrlich |
|---|---|---|---|
| Component: | Documentation | Version: | 1.8 |
| Severity: | Normal | Keywords: | |
| Cc: | zachborboa@… | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Hello,
When debug is set to False, my customers can be confronted with a yellow error screen, saying:
Forbidden (403)
CSRF verification failed. Request aborted.
I believe this happens when some-one has two tabs open. He logs in and out in one tab. Then, in the other tab he fills in a form which now holds an invalid csrf-token.
I would like this error to be end-user friendly: meaning I'd rather show him a default 404-page which is defined by me and is worded in a way the end user understands. And I would like to receive an error message.
Thanks! Wim
Change History (11)
comment:1 Changed 7 years ago by
| Version: | 1.9 → 1.8 |
|---|
comment:2 Changed 7 years ago by
comment:3 Changed 7 years ago by
| Component: | Uncategorized → Documentation |
|---|---|
| Summary: | CSRF verification failed. Request aborted. screen is shown to end users → Document the consequences of rotating the CSRF token on login |
| Triage Stage: | Unreviewed → Accepted |
| Type: | Uncategorized → Cleanup/optimization |
As for how to customize the CSRF error page, see the docs.
I'll accept this ticket to add an FAQ to the list started in #26165. In his security talk at Django Under the Hood 2015, Florian said rotating the token on login "is a security feature and won't change."
comment:4 Changed 7 years ago by
Hi thanks Aymeric and Tim for your quick response and reference!
My additional proposal would be to change the wording of the error message to something an end-user would understand, for example:
Access forbidden (403 error)
Please reload the page to try again.
Your request was aborted due to a CSRF verification failure.
Please report to the site's administrator if the problem persists.
comment:5 Changed 7 years ago by
| Cc: | zachborboa@… added |
|---|
comment:6 Changed 7 years ago by
This happens to my users pretty frequently for whatever reason (possibly the back button is involved). Reloading the POST request doesn't fix it, because it will re-POST the old csrf token. The user needs to press back, reload (GET) the page, and then re-submit the form.
comment:7 Changed 7 years ago by
| Owner: | changed from nobody to Vaclav Ehrlich |
|---|---|
| Status: | new → assigned |
comment:8 Changed 7 years ago by
| Has patch: | set |
|---|
I think this is a false positive of the CSRF protection. It happens because the CSRF token is rotated on login.
It was likely discussed on the mailing list or in another ticket before but I don't remember the outcome.