When debug is set to False, my customers can be confronted with a yellow
error screen, saying:
Forbidden (403)
CSRF verification failed. Request aborted.
I believe this happens when some-one has two tabs open. He logs in and out
in one tab. Then, in the other tab he fills in a form which now holds an
invalid csrf-token.
I would like this error to be end-user friendly: meaning I'd rather show
him a default 404-page which is defined by me and is worded in a way the
end user understands. And I would like to receive an error message.
Thanks! Wim
--
Ticket URL: <https://code.djangoproject.com/ticket/26201>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
* needs_better_patch: => 0
* version: 1.9 => 1.8
* needs_tests: => 0
* needs_docs: => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/26201#comment:1>
Comment (by aaugustin):
I think this is a false positive of the CSRF protection. It happens
because the CSRF token is rotated on login.
It was likely discussed on the mailing list or in another ticket before
but I don't remember the outcome.
--
Ticket URL: <https://code.djangoproject.com/ticket/26201#comment:2>
* type: Uncategorized => Cleanup/optimization
* stage: Unreviewed => Accepted
* component: Uncategorized => Documentation
Comment:
As for how to customize the CSRF error page,
[https://docs.djangoproject.com/en/dev/ref/csrf/#rejected-requests see the
docs].
I'll accept this ticket to add an FAQ to the list started in #26165. In
his security talk at [https://opbeat.com/events/duth/ Django Under the
Hood 2015], Florian said rotating the token on login "is a security
feature and won't change."
--
Ticket URL: <https://code.djangoproject.com/ticket/26201#comment:3>
Comment (by wimfeijen):
Hi thanks Aymeric and Tim for your quick response and reference!
My additional proposal would be to change the wording of the error message
to something an end-user would understand, for example:
Access forbidden (403 error)
Please reload the page to try again.
Your request was aborted due to a CSRF verification failure.
Please report to the site's administrator if the problem persists.
--
Ticket URL: <https://code.djangoproject.com/ticket/26201#comment:4>
* cc: zachborboa@… (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/26201#comment:5>
Comment (by collinanderson):
This happens to my users pretty frequently for whatever reason (possibly
the back button is involved). Reloading the POST request doesn't fix it,
because it will re-POST the old csrf token. The user needs to press back,
reload (GET) the page, and then re-submit the form.
--
Ticket URL: <https://code.djangoproject.com/ticket/26201#comment:6>
* status: new => assigned
* owner: nobody => vehrlich
--
Ticket URL: <https://code.djangoproject.com/ticket/26201#comment:7>
* has_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/26201#comment:8>
Comment (by timgraham):
[https://github.com/django/django/pull/6391 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/26201#comment:9>
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"369fa471f46cd517edf5fc82e4ef6138de3cff6e" 369fa47]:
{{{
#!CommitTicketReference repository=""
revision="369fa471f46cd517edf5fc82e4ef6138de3cff6e"
Fixed #26201 -- Documented the consequences of rotating the CSRF token on
login.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26201#comment:10>
Comment (by Tim Graham <timograham@…>):
In [changeset:"147f9a0d2a31a90df413158ecaa7778a1f21e281" 147f9a0d]:
{{{
#!CommitTicketReference repository=""
revision="147f9a0d2a31a90df413158ecaa7778a1f21e281"
[1.9.x] Fixed #26201 -- Documented the consequences of rotating the CSRF
token on login.
Backport of 369fa471f46cd517edf5fc82e4ef6138de3cff6 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26201#comment:11>