Context Navigation

← Previous Ticket
Next Ticket →

#26201 closed Cleanup/optimization (fixed)

Document the consequences of rotating the CSRF token on login

Reported by:	Wim Feijen	Owned by:	Vaclav Ehrlich
Component:	Documentation	Version:	1.8
Severity:	Normal	Keywords:
Cc:	zachborboa@…	Triage Stage:	Accepted
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

Hello,

When debug is set to False, my customers can be confronted with a yellow error screen, saying:

Forbidden (403)

CSRF verification failed. Request aborted.

I believe this happens when some-one has two tabs open. He logs in and out in one tab. Then, in the other tab he fills in a form which now holds an invalid csrf-token.

I would like this error to be end-user friendly: meaning I'd rather show him a default 404-page which is defined by me and is worded in a way the end user understands. And I would like to receive an error message.

Thanks! Wim

Change History (11)

comment:1 by Wim Feijen, 9 years ago

Version:	1.9 → 1.8

comment:2 by Aymeric Augustin, 9 years ago

I think this is a false positive of the CSRF protection. It happens because the CSRF token is rotated on login.

It was likely discussed on the mailing list or in another ticket before but I don't remember the outcome.

comment:3 by Tim Graham, 9 years ago

Component:	Uncategorized → Documentation
Summary:	CSRF verification failed. Request aborted. screen is shown to end users → Document the consequences of rotating the CSRF token on login
Triage Stage:	Unreviewed → Accepted
Type:	Uncategorized → Cleanup/optimization

As for how to customize the CSRF error page, see the docs.

I'll accept this ticket to add an FAQ to the list started in #26165. In his security talk at Django Under the Hood 2015, Florian said rotating the token on login "is a security feature and won't change."

comment:4 by Wim Feijen, 9 years ago

Hi thanks Aymeric and Tim for your quick response and reference!

My additional proposal would be to change the wording of the error message to something an end-user would understand, for example:

Access forbidden (403 error)

Please reload the page to try again.

Your request was aborted due to a CSRF verification failure.

Please report to the site's administrator if the problem persists.

comment:5 by Zach Borboa, 9 years ago

Cc:	zachborboa@… added

comment:6 by Collin Anderson, 9 years ago

This happens to my users pretty frequently for whatever reason (possibly the back button is involved). Reloading the POST request doesn't fix it, because it will re-POST the old csrf token. The user needs to press back, reload (GET) the page, and then re-submit the form.

comment:7 by Vaclav Ehrlich, 9 years ago

Owner:	changed from nobody to Vaclav Ehrlich
Status:	new → assigned

comment:8 by Vaclav Ehrlich, 9 years ago

Has patch:	set

comment:9 by Tim Graham, 9 years ago

comment:10 by Tim Graham <timograham@…>, 9 years ago

Resolution:	→ fixed
Status:	assigned → closed

In 369fa47:

Fixed #26201 -- Documented the consequences of rotating the CSRF token on login.

comment:11 by Tim Graham <timograham@…>, 9 years ago

In 147f9a0d:

[1.9.x] Fixed #26201 -- Documented the consequences of rotating the CSRF token on login.

Backport of 369fa471f46cd517edf5fc82e4ef6138de3cff6 from master

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues