mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-15 20:09:18 -05:00
[Feature] detect and "logout" on old csrf token #5287
Closed
opened 2025-11-02 06:20:22 -06:00 by GiteaMirror
·
12 comments
No Branch/Tag Specified
main
release/v1.25
release/v1.24
release/v1.23
release/v1.22
release/v1.21
release/v1.20
release/v1.19
release/v1.18
release/v1.17
release/v1.16
release/v1.15
release/v1.14
release/v1.13
release/v1.12
release/v1.11
release/v1.10
release/v1.9
release/v1.8
v1.25.3
v1.25.2
v1.25.1
v1.25.0
v1.24.7
v1.25.0-rc0
v1.26.0-dev
v1.24.6
v1.24.5
v1.24.4
v1.24.3
v1.24.2
v1.24.1
v1.24.0
v1.23.8
v1.24.0-rc0
v1.25.0-dev
v1.23.7
v1.23.6
v1.23.5
v1.23.4
v1.23.3
v1.23.2
v1.23.1
v1.23.0
v1.23.0-rc0
v1.24.0-dev
v1.22.6
v1.22.5
v1.22.4
v1.22.3
v1.22.2
v1.22.1
v1.22.0
v1.23.0-dev
v1.22.0-rc1
v1.21.11
v1.22.0-rc0
v1.21.10
v1.21.9
v1.21.8
v1.21.7
v1.21.6
v1.21.5
v1.21.4
v1.21.3
v1.21.2
v1.20.6
v1.21.1
v1.21.0
v1.21.0-rc2
v1.21.0-rc1
v1.20.5
v1.22.0-dev
v1.21.0-rc0
v1.20.4
v1.20.3
v1.20.2
v1.20.1
v1.20.0
v1.19.4
v1.21.0-dev
v1.20.0-rc2
v1.20.0-rc1
v1.20.0-rc0
v1.19.3
v1.19.2
v1.19.1
v1.19.0
v1.19.0-rc1
v1.20.0-dev
v1.19.0-rc0
v1.18.5
v1.18.4
v1.18.3
v1.18.2
v1.18.1
v1.18.0
v1.17.4
v1.18.0-rc1
v1.19.0-dev
v1.18.0-rc0
v1.17.3
v1.17.2
v1.17.1
v1.17.0
v1.17.0-rc2
v1.16.9
v1.17.0-rc1
v1.18.0-dev
v1.16.8
v1.16.7
v1.16.6
v1.16.5
v1.16.4
v1.16.3
v1.16.2
v1.16.1
v1.16.0
v1.15.11
v1.17.0-dev
v1.16.0-rc1
v1.15.10
v1.15.9
v1.15.8
v1.15.7
v1.15.6
v1.15.5
v1.15.4
v1.15.3
v1.15.2
v1.15.1
v1.14.7
v1.15.0
v1.15.0-rc3
v1.14.6
v1.15.0-rc2
v1.14.5
v1.16.0-dev
v1.15.0-rc1
v1.14.4
v1.14.3
v1.14.2
v1.14.1
v1.14.0
v1.13.7
v1.14.0-rc2
v1.13.6
v1.13.5
v1.14.0-rc1
v1.15.0-dev
v1.13.4
v1.13.3
v1.13.2
v1.13.1
v1.13.0
v1.12.6
v1.13.0-rc2
v1.14.0-dev
v1.13.0-rc1
v1.12.5
v1.12.4
v1.12.3
v1.12.2
v1.12.1
v1.11.8
v1.12.0
v1.11.7
v1.12.0-rc2
v1.11.6
v1.12.0-rc1
v1.13.0-dev
v1.11.5
v1.11.4
v1.11.3
v1.10.6
v1.12.0-dev
v1.11.2
v1.10.5
v1.11.1
v1.10.4
v1.11.0
v1.11.0-rc2
v1.10.3
v1.11.0-rc1
v1.10.2
v1.10.1
v1.10.0
v1.9.6
v1.9.5
v1.10.0-rc2
v1.11.0-dev
v1.10.0-rc1
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.9.0-rc2
v1.10.0-dev
v1.9.0-rc1
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.8.0-rc3
v1.7.6
v1.8.0-rc2
v1.7.5
v1.8.0-rc1
v1.9.0-dev
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.7.0-rc3
v1.6.4
v1.7.0-rc2
v1.6.3
v1.7.0-rc1
v1.7.0-dev
v1.6.2
v1.6.1
v1.6.0
v1.6.0-rc2
v1.5.3
v1.6.0-rc1
v1.6.0-dev
v1.5.2
v1.5.1
v1.5.0
v1.5.0-rc2
v1.5.0-rc1
v1.5.0-dev
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.4.0-rc3
v1.4.0-rc2
v1.3.3
v1.4.0-rc1
v1.3.2
v1.3.1
v1.3.0
v1.3.0-rc2
v1.3.0-rc1
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.2.0-rc3
v1.2.0-rc2
v1.1.4
v1.2.0-rc1
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.2
v1.0.1
v1.0.0
v0.9.99
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
Mirrored from GitHub Pull Request
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/gitea#5287
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @6543 on GitHub (Apr 22, 2020).
currently if the csrf token becomes infalide you still can act as if you where valid logedin.
If you however triger a POST request by changing setings etc ... you get a csrf token infalide error.
What it should do instead: logout the user
Gitea Version: 1.12.0+dev-225-ge0bf844b0
@choucavalier commented on GitHub (Apr 22, 2020):
Thanks, this would lead to a better UX indeed 🙏
@zeripath commented on GitHub (Apr 22, 2020):
I think logging out would be a bit aggressive here - and could lead to denial of service.
It might be that issuing a redirect would be more correct however we'd need to look for best practices for csrf tokens (my googlefu is failing me here).
If we do want to redirect - we will probably have to change the csrf library to give us the original request back as I think you need that to send a redirect.
@choucavalier commented on GitHub (Apr 22, 2020):
Side note: this happened to me as I was trying to submit a review on a PR. I spent time writing the review and lost my content when I tried to submit it and got this error. In terms of UX that's pretty bad.
@jolheiser commented on GitHub (Apr 22, 2020):
I also had limited luck when searching this, but I'd imagine a redirect would be preferable if the session itself is still valid.
I think in terms of general usage a redirect would be fine, however when it comes to submitting forms and being able to "save" your work, perhaps it's a good tie in to https://github.com/go-gitea/gitea/issues/11004?
@3F commented on GitHub (Apr 22, 2020):
@6543,
Just to be clear, I am not against the way for invalidating token. But I was starting with describing my issue with your Gitea for Firefox https://github.com/go-gitea/gitea/issues/4311#issuecomment-617937199
Where I had sometimes the csrf problem for every ~5 minutes or so. And for the just received "caching problem of Chrome - just delete your cache" [?] I just offer my thoughts that this is not a good idea if I will login again every ~5 minutes. Why I can't just say it? I don't understand.
@zeripath,
What a rude? You're personally insulted me with this!
This is what I'm talking about.
I am grateful to all the volunteers! I am also open source developer, I know what is this. So please keep calm when your users just asking and sharing their opinions (which by the way we are also spending time for configuring and integrating environment with your products, trusting you)
With regards,
@choucavalier commented on GitHub (Apr 22, 2020):
@3F the way you write your messages generates very negative vibes. Apparently I'm not the only one who noticed this. Maybe you should work on your way of communicating your opinions about things. We should all try to be the nicest contributors to work with. :)
@3F commented on GitHub (Apr 22, 2020):
@tgy,
For my
I'd prefer spend ~3 sec for just ...That was sarcasm. Do I need more:)smile for it?But here it is. "sarcasm" was started just because we just received "caching problem of Chrome - just delete your cache". hmm, well, ok. thank you. Right? So I don't see the problems since it was started not by me.
As I said, I just offer my thoughts for the problem that affects for all Gitea users! Nothing more.
@6543 commented on GitHub (Apr 22, 2020):
@3F:
I just read Chrome ... on the original issue (witch was closed) and I know this issue when restarting different gitea versions while working on gitea so my first thought was ... this bad cache thing ... :(
If the csrf error happens regulary, this is sure an issue and is anoying!
In generel we should somehow imprufe wrong csrf request handeling ...
@3F commented on GitHub (Apr 22, 2020):
And for some reason everyone attacked me just when I started clarify the case for the issue.
@6543,
Nothing worry if you're missing something!
You're doing an amazing job! Thank you!
To the team, please be friendly to users too. I was personally not starting anything offensive at all. Just re-read my comments again. Thus, I was very offended by the words of @zeripath
Well, I'm constantly getting this starting with 1.10.3 (when I started use gitea). Currently, I am on 1.11.4. After receiving a new reply to the subscribed issue, I just decided to report about problems for Firefox too.
Maybe just automate the requesting by mentioned combination as a temporary solution (or some option in admin panel)? It can be really easy to implement. And this could be a good option at least before a normal solution.
What do you think? Thanks!
@silverwind commented on GitHub (Apr 23, 2020):
IMHO, CRSF tokens should just be replaced with
SameSiteattribute, see https://github.com/go-gitea/gitea/issues/11188.@stale[bot] commented on GitHub (Aug 1, 2020):
This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.
@6543 commented on GitHub (Aug 1, 2020):
I'll close this if fafour of #11188