Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#26201 closed Cleanup/optimization (fixed)

Document the consequences of rotating the CSRF token on login

Reported by: Wim Feijen Owned by: Vaclav Ehrlich
Component: Documentation Version: 1.8
Severity: Normal Keywords:
Cc: zachborboa@… Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Hello,

When debug is set to False, my customers can be confronted with a yellow error screen, saying:

Forbidden (403)

CSRF verification failed. Request aborted.

I believe this happens when some-one has two tabs open. He logs in and out in one tab. Then, in the other tab he fills in a form which now holds an invalid csrf-token.

I would like this error to be end-user friendly: meaning I'd rather show him a default 404-page which is defined by me and is worded in a way the end user understands. And I would like to receive an error message.

Thanks! Wim

Change History (11)

comment:1 by Wim Feijen, 8 years ago

Version: 1.91.8

comment:2 by Aymeric Augustin, 8 years ago

I think this is a false positive of the CSRF protection. It happens because the CSRF token is rotated on login.

It was likely discussed on the mailing list or in another ticket before but I don't remember the outcome.

comment:3 by Tim Graham, 8 years ago

Component: UncategorizedDocumentation
Summary: CSRF verification failed. Request aborted. screen is shown to end usersDocument the consequences of rotating the CSRF token on login
Triage Stage: UnreviewedAccepted
Type: UncategorizedCleanup/optimization

As for how to customize the CSRF error page, see the docs.

I'll accept this ticket to add an FAQ to the list started in #26165. In his security talk at Django Under the Hood 2015, Florian said rotating the token on login "is a security feature and won't change."

comment:4 by Wim Feijen, 8 years ago

Hi thanks Aymeric and Tim for your quick response and reference!

My additional proposal would be to change the wording of the error message to something an end-user would understand, for example:

Access forbidden (403 error)

Please reload the page to try again.

Your request was aborted due to a CSRF verification failure.

Please report to the site's administrator if the problem persists.

comment:5 by Zach Borboa, 8 years ago

Cc: zachborboa@… added

comment:6 by Collin Anderson, 8 years ago

This happens to my users pretty frequently for whatever reason (possibly the back button is involved). Reloading the POST request doesn't fix it, because it will re-POST the old csrf token. The user needs to press back, reload (GET) the page, and then re-submit the form.

comment:7 by Vaclav Ehrlich, 8 years ago

Owner: changed from nobody to Vaclav Ehrlich
Status: newassigned

comment:8 by Vaclav Ehrlich, 8 years ago

Has patch: set

comment:9 by Tim Graham, 8 years ago

comment:10 by Tim Graham <timograham@…>, 8 years ago

Resolution: fixed
Status: assignedclosed

In 369fa47:

Fixed #26201 -- Documented the consequences of rotating the CSRF token on login.

comment:11 by Tim Graham <timograham@…>, 8 years ago

In 147f9a0d:

[1.9.x] Fixed #26201 -- Documented the consequences of rotating the CSRF token on login.

Backport of 369fa471f46cd517edf5fc82e4ef6138de3cff6 from master

Note: See TracTickets for help on using tickets.
Back to Top