CSRF verification failed. Request aborted.

zgohr

unread,

May 20, 2013, 9:33:50 AM5/20/13

to mezzani...@googlegroups.com

Clear your cookies or open a new incogneto Chrome window for the same purpose. Head over to mezzanine.jupo.org/account and try logging in with demo:demo. The very first time this request gets made I'm seeing "Forbidden (403) CSRF verification failed. Request aborted." Pressing the browser "Back" button and trying again will succeed.

This same thing is happening on a site I am running with Mezzanine 1.4.6. Turning DEBUG on shows that the csrf token is getting sent with the POST request, so I'm not sure where to go next. I can't seem to reproduce when logging in via the admin site.

Ken Bolton

unread,

May 20, 2013, 12:01:34 PM5/20/13

to mezzanine-users

Confirming that this happens on the demo site.

This issue is being tracked at https://github.com/stephenmcd/mezzanine/issues/676.

On Mon, May 20, 2013 at 9:33 AM, zgohr <zachar...@gmail.com> wrote:

Clear your cookies or open a new incogneto Chrome window for the same purpose. Head over to mezzanine.jupo.org/account and try logging in with demo:demo. The very first time this request gets made I'm seeing "Forbidden (403) CSRF verification failed. Request aborted." Pressing the browser "Back" button and trying again will succeed.

This same thing is happening on a site I am running with Mezzanine 1.4.6. Turning DEBUG on shows that the csrf token is getting sent with the POST request, so I'm not sure where to go next. I can't seem to reproduce when logging in via the admin site.

--
You received this message because you are subscribed to the Google Groups "Mezzanine Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mezzanine-use...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Stephen McDonald

unread,

May 21, 2013, 6:14:06 AM5/21/13

to mezzani...@googlegroups.com

Thanks guys. I believe I've fixed the issue here:

https://github.com/stephenmcd/mezzanine/commit/52fbfe0f6eb3f1a57e33d1c8128bdd0e03485e56

This is really difficult to reproduce. In order for it to happen:

1) cache has to be set up correctly

2) cookies cleared (or first ever request to the site)

3) the form page being viewed then submitted needs to trigger a cache *miss* - so the error would only occur once every X minutes at most, where X minutes it the cache expiry.

If anyone's able to verify that the above fix resolves this issue for them, that would be a great help. It's a bit hard to rely on the demo site for verifying the fix (I have deployed it to there nonetheless) since it's dependant on the timing of a cache miss. So on your own site the easiest steps to reproduce, with cache set up correctly:

1) clear cookies (or incognito mode with chrome)

2) delete everything from the site's cache (I use the file based cached which makes this easy, just delete the local cache directory, I guess you could restart memcache too)

3) load a page with a form on it, and submit it

If you can try those steps both before and after the above fix, you should be able to consistently reproduce the error, and then see it resolved when running again the fix.

--
Stephen McDonald
http://jupo.org

zgohr

unread,

May 21, 2013, 9:25:48 AM5/21/13

to mezzani...@googlegroups.com, st...@jupo.org

Looks like this does fix the issue in my case.

Thanks for the quick response, Stephen.

Zach

Stephen McDonald

unread,

May 21, 2013, 3:45:39 PM5/21/13

to mezzani...@googlegroups.com

Awesome, thanks Zach.

I'll push a new version up some time this week.

Reply all

Reply to author

Forward