CSRF verification failed. Request aborted.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Widelands Website |
Won't Fix
|
Low
|
Unassigned |
Bug Description
I have spot a bug:
CSRF verification failed. Request aborted.
when I was searching from the website (simple search).
But I couldn't reproduce it until today.
And today I have noticed two things:
1. CSRF token is sent
2. Between opening the tab homepage and searching something I have logged into Widelands on other tab.
Ad 1.: I have checked from FireFox debug engine that I have sent CSRF token (payload here):
csrfmiddlewaretoken 0semFHKn6pOtaQ6
q map+generat
section Forum
Ad 2.: I have checked on other browser (opera) that the bug can be reproduced there.
So try reproducing:
1. Log off the Widelands website
2. Close web browser (clear all cache, settings, sessions, whatever?)
3. Open web browser and go to Widelands webpage
4. Copy the page / open any link within it ON SECOND TAB!
5. Log in there (click login and pass credentials)
6. Try to search anything through simple-search.
Going around it I have one idea, why it is that:
The session on server side for anonymous user is no-longer true (after login), so static data (CSRF token) is not valid any more. But I am not sure here, I have never spot such a problem.
Changed in widelands-website: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in widelands-website: | |
importance: | Medium → Low |
Thanks for your bug report.
I can confirm this with these steps (Opera):
1. Log out
2. Close additional Browser tabs where the website is shown, leave 1 tab with the website open.
3. Open the website in an additional tab and login here
4. Switch to the other tab (showing not logged in) and try to search with the form in the navigation bar
The problem is that the csrf-token cookie is updated in step 3 (login). Sending a request through the browsers tab (showing not logged in) uses the old csrf value then.
I guess the underlying problem is that the view used in the navigation bar uses a redirect.