Opened 3 years ago
Last modified 3 years ago
#33617 closed Bug
CSRF fails on my website (https://en.speedymatch.com/) when entering my website from Google — at Version 3
Reported by: | אורי | Owned by: | nobody |
---|---|---|---|
Component: | CSRF | Version: | 3.2 |
Severity: | Normal | Keywords: | |
Cc: | אורי | Triage Stage: | Unreviewed |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
How to reproduce this bug:
Open Chrome in incognito mode.
I click on a Google ad which redirects me to https://en.speedymatch.com/contact/?gclid=EAIaIQobChMIj43PgP379gIV0xx9Ch3UIg_FEAMYAyABEgK13_D_BwE (this ad can be found for example when searching for "Dating sites for singles speedy" on Google, from the USA)
Then I go back to the ad and click on a link which redirects me to https://en.speedymatch.com/about/
Then I go back to https://en.speedymatch.com/contact/?gclid=EAIaIQobChMIj43PgP379gIV0xx9Ch3UIg_FEAMYAyABEgK13_D_BwE and fill the form. I type another number in the "Type the number "17"*" field.
I get this error message:
Forbidden (403) CSRF verification failed. Request aborted. More information is available with DEBUG=True.
By email I receive an email like "[Django] WARNING (EXTERNAL IP): Forbidden (CSRF token missing or incorrect.): /". I received more than 1,300 error messages containing "CSRF token missing or incorrect" in the last 6 months.
Another way to get this message is to go to https://www.google.com/search?q=site%3Aspeedymatch.com (search for "site:speedymatch.com"), then click on https://en.speedymatch.com/contact/ (the second page results), and then click on https://en.speedymatch.com/about/ (the first page). Or click on the main page (https://en.speedymatch.com/) and then click on https://en.speedymatch.com/about/ . All the clicks should be done to new tabs.
The problem is that real users can click these ads or search results, come to my website but they can't submit a form such as the contact form or registration form, if they clicked on another URL after they clicked on the link to the form. I checked and this error message also appears on the registration form (https://en.speedymatch.com/).
If the user goes back and fills again the form, it works without error messages.
CSRF is supposed to block malicious users but it blocks many legitimate users on my website.
This bug occurs also if I enter the same form twice in two different tabs. For example, if I click on https://en.speedymatch.com/ from Google twice and try to fill out the first form (the first tab).
Change History (3)
comment:1 by , 3 years ago
Cc: | added |
---|
comment:2 by , 3 years ago
Component: | Uncategorized → CSRF |
---|
comment:3 by , 3 years ago
Description: | modified (diff) |
---|