Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF error on /account/login #1020

Open
mbarton opened this issue Aug 13, 2024 · 2 comments
Open

CSRF error on /account/login #1020

mbarton opened this issue Aug 13, 2024 · 2 comments
Labels
security An issue which affects (or could affect) security

Comments

@mbarton
Copy link
Member

mbarton commented Aug 13, 2024

Reported via email by @SAbdin93. Customers see an opaque CSRF error message when trying to log in:

Screenshot from 2024-08-13 15-20-17

We can see from the production logs that it happens occasionally and is caused by a mismatch between the CSRF cookie and the hidden token in the login form:

django-1  | 2024-08-09T10:57:09.101654581Z WARNING [django.security.csrf] Forbidden (CSRF token from POST incorrect.): /account/login/
django-1  | 2024-08-09T12:28:34.590409092Z WARNING [django.security.csrf] Forbidden (CSRF token from POST incorrect.): /account/login/
django-1  | 2024-08-09T12:28:43.242638408Z WARNING [django.security.csrf] Forbidden (CSRF token from POST incorrect.): /account/login/
django-1  | 2024-08-09T12:29:07.995986807Z WARNING [django.security.csrf] Forbidden (CSRF token from POST incorrect.): /account/login/
django-1  | 2024-08-09T13:30:36.035838126Z WARNING [django.security.csrf] Forbidden (CSRF token from POST incorrect.): /account/login/
django-1  | 2024-08-09T13:30:41.912459997Z WARNING [django.security.csrf] Forbidden (CSRF token from POST incorrect.): /account/login/
django-1  | 2024-08-12T15:15:45.274644910Z WARNING [django.security.csrf] Forbidden (CSRF token from POST incorrect.): /account/login/

I've verified using the logs that the user reporting the error saw this exact error message as they were then able to log in afterwards.

The error doesn't stop you logging in by opening another tab and trying again. I'm not exactly sure how it happens but I think it's to do with old tabs staying open in the browser. I've been able to reproduce with the following steps:

  1. Log in
  2. Log out and leave the tab open on the login screen
  3. Open a new tab
  4. Log in in the new tab (this rotates the CSRF token, later triggering the error)
  5. Log out
  6. Try to log in using the old tab without refreshing the page

We can't fix this problem per se without custom logic to retry the request with a new CSRF token which defeats much of the point of having it in the first place. I don't think we should remove it as CSRF tokens on login pages are useful in avoiding attacks where users are tricked into logging in to an account that isn't actually their own (see this Stack Overflow thread).

It is quite straight forward though to punt them back to the login form to try again rather than showing a big angry technical error message. See https://forum.djangoproject.com/t/forbidden-csrf-token-from-post-incorrect-accounts-login/19146/1.
@mbarton mbarton added the security An issue which affects (or could affect) security label Aug 13, 2024
@eatyourpeas
Copy link
Member

I agree better that than what is happening. I am confused though as we used to have a custom 403 page. I am not clear why at least that is not rendering instead of the django one.

@SAbdin93
Copy link

Thank you for looking into this :) - I will let the Clinicians know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security An issue which affects (or could affect) security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mbarton @eatyourpeas @SAbdin93