Expired CSRF token results in "Forbidden" on login attempt #4593
Comments
|
This can be verified by deleting the session cookie while on the login page and then attempting to log in without navigating away. |
|
Unfortunately, we cannot re-obtain the CSRF token in the background, since that would be opening up a vector to retrieve a CSRF token via API, which is verboten... I also hate filling out forms and then seeing the "ok, something went sideways, fill this form again", but it just might be the only solution here. Edit: ... also we cannot detect whether a CSRF token is valid until after the request returns. Edit 2: ... well, we can, but it also happens to use up the CSRF token 😛 |
julianlam
added a commit
that referenced
this issue
May 11, 2016
Error message was always the CSRF message, even when it wasn't a CSRF issue. re: #4593
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It should probably re-obtain the CSRF token and silently try again, or at least give a message along the lines of "please refresh the page".
The text was updated successfully, but these errors were encountered: