Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF failure should start a new login/registration flow #821

Closed
zhming0 opened this issue Nov 12, 2020 · 4 comments
Closed

CSRF failure should start a new login/registration flow #821

zhming0 opened this issue Nov 12, 2020 · 4 comments
Assignees
@aeneasr
Labels
feat New feature or request.
Milestone
v0.7.0-alpha.1

Comments

@zhming0
Copy link
Contributor

zhming0 commented Nov 12, 2020
edited
Loading

Describe the bug

Currently, during browser login/signup, CSRF failures will trigger the error flow and land the user in an error page.

When a user click browser's back button and try to submit the form again, he will see the same error page and was convinced that the site is broken.

I have discussed with @aeneasr in here. And @aeneasr believe it's a bug.

Reproducing the bug

Steps to reproduce the behavior:

  1. Open any /login page to a site backed by Kratos and see it's redirected to /login?flow=xxx
  2. Take /login?flow-xxx to a new incognito tab. (simulating user losing cookie accidentally)
  3. Submit the form.
  4. Ended up in the error flow page.

Server configuration

Typical server setup matching the demo docker image.

Expected behavior

Expecting one of these:

  • Kratos takes user to a new login flow when detecting CORS failure (no cookie CSRF token but has form CSRF token).
  • Kratos failed the login requests with a validation messages informing user that he needs to click a link to reinitialize login flow.

Environment

  • Version: v0.5.3-alpha.1
  • Environment: Any browser + Kratos official docker image

Additional context
@rauno56
Copy link
Contributor

rauno56 commented Nov 12, 2020
edited
Loading

I'm experiencing a similar problem with the quickstart setup. Logs here.
For v0.4.6-alpha.1 I'm getting another error with infinite redirections. Logs here.
It happens every time - no problem with reproing.

@jamesbirtles
Copy link

jamesbirtles commented Nov 12, 2020
edited
Loading

I've been happily logging in and out all day, then I updated chrome and now all I get is csrf errors. It works perfectly fine still in firefox. This is using a setup mostly following the quickstart (on localhost, UI on different port).

I get this issue in the chrome dev tools issue panel (with cookie issues checkbox checked)

image

I think setting SameSite=Lax would fix it? But it doesn't appear thats a config option for the csrf token, can only see session.cookie.same_site which doesn't affect the csrf token cookie

@aeneasr
Copy link
Member

aeneasr commented Nov 13, 2020

Ah, we should probably set SameSite=lax if the --dev flag is used for nosurf cookies!

kratos/cmd/daemon/serve.go

Line 59 in 347ad05

!flagx.MustGetBool(cmd, "dev"),

kratos/x/nosurf.go

Line 100 in 347ad05

SameSite: http.SameSiteNoneMode,

Are the files where this should be fixed (with a test :) )

@rauno56 rauno56 mentioned this issue Nov 13, 2020
Merged
5 tasks
aeneasr pushed a commit that referenced this issue Nov 16, 2020
@rauno56
fix: set samesite attribute to lax if in dev mode (#824)
91d6698 
See #821
@aeneasr aeneasr added corp/next feat New feature or request. labels Nov 17, 2020
@aeneasr aeneasr self-assigned this Nov 17, 2020
@aeneasr aeneasr added this to the v0.6.0-alpha.1 milestone Nov 17, 2020
@aeneasr aeneasr mentioned this issue Dec 9, 2020
Closed
@aeneasr
Copy link
Member

aeneasr commented Jun 15, 2021

This is implemented now as we check for CSRF tokens in the handlers as opposed to the middleware!

@aeneasr aeneasr closed this as completed Jun 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aeneasr aeneasr

Labels
feat New feature or request.
Projects
None yet
Milestone
v0.7.0-alpha.1
Development

No branches or pull requests
4 participants
@zhming0 @rauno56 @aeneasr @jamesbirtles