@csrf_protect annoying on django.contrib.auth.views.login

[md...@pdx.edu]

Is there a reason django.contrib.auth.views.login should be decorated with csrf_protect? It results in annoying behavior, in the following scenario:

In a browser window (Window1), go to the login page.

In another browser window (Window2), go to the login page, and actually login, then logout.

Back in Window1, fill in your credentials, and try to login. You get a 403.

It seems like django.contrib.auth.views.login should be decorated with csrf_exempt instead. Are there any major security implications?

[Collin Anderson]

Hi,

This is the best reason I could find:

http://security.stackexchange.com/questions/62769/must-login-and-logout-action-have-csrf-protection

One thing that's going on here is that the csrftoken changes every time someone logs in, so the old login page now has a stale token. The changing csrf token has bitten me a bunch of times. I've gotten around it by using javascript to correct the token when submitting the form.

$(document).on('submit', 'form[method=post]', function() {
  $(this.csrfmiddlewaretoken).val(document.cookie.match('csrftoken=([a-zA-Z0-9]{32})')[1])
})

Collin

[md...@pdx.edu]

I was not aware of that kind of attack. It's pretty clever.

Thanks for the info and the workaround JS.

[Wim Feijen]

Hi,

We are experiencing the same problem when a user changes his language. We are using a post form for that, see: https://roominreturn.nl . 

1. What is annoying is that the csrf Forbidden page is a yellow page and is shown to the end user. We would never want to confront a visitor with a yellow Forbidden page with techy remarks. Our default 400-page would be ok though.

2. Actually, I am not that handy with js and we don't understand Collin's solution. How do we refresh the csrf-token? Implementing the code literally gives csrf-errors.

For my first point, should I make a ticket for that? What I would really want is that I know about the error and that data is sent to me, so I can act on it.

For the second point, any help is appreciated. 

Regards, Wim  

[Alasdair Nicol]

Hi Wim,

On 16/07/15 16:51, Wim Feijen wrote:
> Hi,
>
> We are experiencing the same problem when a user changes his language.
> We are using a post form for that, see: https://roominreturn.nl .
>
> 1. What is annoying is that the csrf Forbidden page is a yellow page and
> is shown to the end user. We would never want to confront a visitor with
> a yellow Forbidden page with techy remarks. Our default 400-page would
> be ok though.

Note that you can avoid the yellow page with the CSRF_FAILURE_VIEW
setting. The view can be as simple as:

def csrf_failure(request, reason=""):
"""
Friendly view for settings.CSRF_FAILURE_VIEW.
"""
return render(request, 'friendly_csrf_failure_template.html',
status=403)

Then in your settings add

CSRF_FAILURE_VIEW = 'path.to.csrf_failure';

Cheers,
Alasdair

[1]: https://docs.djangoproject.com/en/1.8/ref/settings/#csrf-failure-view

--
Alasdair Nicol
Developer, MEMSET

mail: alas...@memset.com
web: http://www.memset.com/

Memset Ltd., registration number 4504980.
Building 87, Dunsfold Park, Stovolds Hill, Cranleigh, Surrey, GU6 8TB, UK