-
-
Notifications
You must be signed in to change notification settings - Fork 959
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSRF failure should start a new login/registration flow #821
Comments
I've been happily logging in and out all day, then I updated chrome and now all I get is csrf errors. It works perfectly fine still in firefox. This is using a setup mostly following the quickstart (on localhost, UI on different port). I get this issue in the chrome dev tools issue panel (with cookie issues checkbox checked) I think setting SameSite=Lax would fix it? But it doesn't appear thats a config option for the csrf token, can only see |
This is implemented now as we check for CSRF tokens in the handlers as opposed to the middleware! |
Describe the bug
Currently, during browser login/signup, CSRF failures will trigger the error flow and land the user in an error page.
When a user click browser's back button and try to submit the form again, he will see the same error page and was convinced that the site is broken.
I have discussed with @aeneasr in here. And @aeneasr believe it's a bug.
Reproducing the bug
Steps to reproduce the behavior:
/login
page to a site backed by Kratos and see it's redirected to/login?flow=xxx
/login?flow-xxx
to a new incognito tab. (simulating user losing cookie accidentally)Server configuration
Typical server setup matching the demo docker image.
Expected behavior
Expecting one of these:
Environment
Additional context
The text was updated successfully, but these errors were encountered: