[Django] #26201: CSRF verification failed. Request aborted. screen is shown to end users
Django
-------------------------------+--------------------
Reporter: wimfeijen | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 1.9
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------
Hello,
When debug is set to False, my customers can be confronted with a yellow
error screen, saying:
Forbidden (403)
CSRF verification failed. Request aborted.
I believe this happens when some-one has two tabs open. He logs in and out
in one tab. Then, in the other tab he fills in a form which now holds an
invalid csrf-token.
I would like this error to be end-user friendly: meaning I'd rather show
him a default 404-page which is defined by me and is worded in a way the
end user understands. And I would like to receive an error message.
Thanks! Wim
--
Ticket URL: <https://code.djangoproject.com/ticket/26201>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: wimfeijen | Owner: nobody
Type: Uncategorized | Status: new
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by wimfeijen):
* needs_better_patch: => 0
* version: 1.9 => 1.8
* needs_tests: => 0
* needs_docs: => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/26201#comment:1>
Django
Reporter: wimfeijen | Owner: nobody
Type: Uncategorized | Status: new
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by aaugustin):
I think this is a false positive of the CSRF protection. It happens
because the CSRF token is rotated on login.
It was likely discussed on the mailing list or in another ticket before
but I don't remember the outcome.
--
Ticket URL: <https://code.djangoproject.com/ticket/26201#comment:2>
Django
--------------------------------------+------------------------------------
Reporter: wimfeijen | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Documentation | Version: 1.8
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* type: Uncategorized => Cleanup/optimization
* stage: Unreviewed => Accepted
* component: Uncategorized => Documentation
Comment:
As for how to customize the CSRF error page,
[https://docs.djangoproject.com/en/dev/ref/csrf/#rejected-requests see the
docs].
I'll accept this ticket to add an FAQ to the list started in #26165. In
his security talk at [https://opbeat.com/events/duth/ Django Under the
Hood 2015], Florian said rotating the token on login "is a security
feature and won't change."
--
Ticket URL: <https://code.djangoproject.com/ticket/26201#comment:3>
Django
--------------------------------------+------------------------------------
Type: Cleanup/optimization | Status: new
Component: Documentation | Version: 1.8
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by wimfeijen):
Hi thanks Aymeric and Tim for your quick response and reference!
My additional proposal would be to change the wording of the error message
to something an end-user would understand, for example:
Access forbidden (403 error)
Please reload the page to try again.
Your request was aborted due to a CSRF verification failure.
Please report to the site's administrator if the problem persists.
--
Ticket URL: <https://code.djangoproject.com/ticket/26201#comment:4>
Django
--------------------------------------+------------------------------------
Type: Cleanup/optimization | Status: new
Component: Documentation | Version: 1.8
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by zachborboa):
* cc: zachborboa@… (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/26201#comment:5>
Django
--------------------------------------+------------------------------------
Type: Cleanup/optimization | Status: new
Component: Documentation | Version: 1.8
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by collinanderson):
This happens to my users pretty frequently for whatever reason (possibly
the back button is involved). Reloading the POST request doesn't fix it,
because it will re-POST the old csrf token. The user needs to press back,
reload (GET) the page, and then re-submit the form.
--
Ticket URL: <https://code.djangoproject.com/ticket/26201#comment:6>
Django
--------------------------------------+------------------------------------
Type: Cleanup/optimization | Status: assigned
Component: Documentation | Version: 1.8
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by vehrlich):
* status: new => assigned
* owner: nobody => vehrlich
--
Ticket URL: <https://code.djangoproject.com/ticket/26201#comment:7>
Django
--------------------------------------+------------------------------------
Reporter: wimfeijen | Owner: vehrlich
Type: Cleanup/optimization | Status: assigned
Component: Documentation | Version: 1.8
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by vehrlich):
* has_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/26201#comment:8>
Django
--------------------------------------+------------------------------------
Reporter: wimfeijen | Owner: vehrlich
Type: Cleanup/optimization | Status: assigned
Component: Documentation | Version: 1.8
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by timgraham):
[https://github.com/django/django/pull/6391 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/26201#comment:9>
Django
--------------------------------------+------------------------------------
Reporter: wimfeijen | Owner: vehrlich
Component: Documentation | Version: 1.8
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"369fa471f46cd517edf5fc82e4ef6138de3cff6e" 369fa47]:
{{{
#!CommitTicketReference repository=""
revision="369fa471f46cd517edf5fc82e4ef6138de3cff6e"
Fixed #26201 -- Documented the consequences of rotating the CSRF token on
login.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26201#comment:10>
Django
--------------------------------------+------------------------------------
Reporter: wimfeijen | Owner: vehrlich
Type: Cleanup/optimization | Status: closed
Component: Documentation | Version: 1.8
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"147f9a0d2a31a90df413158ecaa7778a1f21e281" 147f9a0d]:
{{{
#!CommitTicketReference repository=""
revision="147f9a0d2a31a90df413158ecaa7778a1f21e281"
[1.9.x] Fixed #26201 -- Documented the consequences of rotating the CSRF
token on login.
Backport of 369fa471f46cd517edf5fc82e4ef6138de3cff6 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26201#comment:11>