CSRF verification failed. Request aborted.

Bug #1801620 reported by Albert Einstein on 2018-11-04
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Widelands Website
Low
Unassigned

Bug Description

I have spot a bug:

CSRF verification failed. Request aborted.
when I was searching from the website (simple search).
But I couldn't reproduce it until today.

And today I have noticed two things:
1. CSRF token is sent
2. Between opening the tab homepage and searching something I have logged into Widelands on other tab.

Ad 1.: I have checked from FireFox debug engine that I have sent CSRF token (payload here):
csrfmiddlewaretoken 0semFHKn6pOtaQ6FnLhYebyORox30xJvx8IeuW6blGKkjdfhzy1Y724xteBSXEIL
q map+generat
section Forum

Ad 2.: I have checked on other browser (opera) that the bug can be reproduced there.

So try reproducing:

1. Log off the Widelands website
2. Close web browser (clear all cache, settings, sessions, whatever?)
3. Open web browser and go to Widelands webpage
4. Copy the page / open any link within it ON SECOND TAB!
5. Log in there (click login and pass credentials)
6. Try to search anything through simple-search.

Going around it I have one idea, why it is that:
The session on server side for anonymous user is no-longer true (after login), so static data (CSRF token) is not valid any more. But I am not sure here, I have never spot such a problem.

kaputtnik (franku) on 2018-11-05
Changed in widelands-website:
status: New → Confirmed
importance: Undecided → Medium
kaputtnik (franku) wrote :

Thanks for your bug report.

I can confirm this with these steps (Opera):

1. Log out
2. Close additional Browser tabs where the website is shown, leave 1 tab with the website open.
3. Open the website in an additional tab and login here
4. Switch to the other tab (showing not logged in) and try to search with the form in the navigation bar

The problem is that the csrf-token cookie is updated in step 3 (login). Sending a request through the browsers tab (showing not logged in) uses the old csrf value then.

I guess the underlying problem is that the view used in the navigation bar uses a redirect.

kaputtnik (franku) wrote :

Thanks for the link, which describes the problem very well :)

The proposed solution looks good to me. I am working currently on other things, so this bug has to wait for fixing.

kaputtnik (franku) on 2018-12-15
Changed in widelands-website:
importance: Medium → Low
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers