[Feature] detect and "logout" on old csrf token #5287

Closed
opened 2025-11-02 06:20:22 -06:00 by GiteaMirror · 12 comments
Owner

Originally created by @6543 on GitHub (Apr 22, 2020).

currently if the csrf token becomes infalide you still can act as if you where valid logedin.
If you however triger a POST request by changing setings etc ... you get a csrf token infalide error.

What it should do instead: logout the user

Gitea Version: 1.12.0+dev-225-ge0bf844b0

Originally created by @6543 on GitHub (Apr 22, 2020). currently if the csrf token becomes infalide you still can act as if you where valid logedin. If you however triger a POST request by changing setings etc ... you get a csrf token infalide error. What it should do instead: logout the user Gitea Version: 1.12.0+dev-225-ge0bf844b0
GiteaMirror added the type/featureissue/stale labels 2025-11-02 06:20:22 -06:00
Author
Owner

@choucavalier commented on GitHub (Apr 22, 2020):

Thanks, this would lead to a better UX indeed 🙏

@choucavalier commented on GitHub (Apr 22, 2020): Thanks, this would lead to a better UX indeed 🙏
Author
Owner

@zeripath commented on GitHub (Apr 22, 2020):

I think logging out would be a bit aggressive here - and could lead to denial of service.

It might be that issuing a redirect would be more correct however we'd need to look for best practices for csrf tokens (my googlefu is failing me here).

If we do want to redirect - we will probably have to change the csrf library to give us the original request back as I think you need that to send a redirect.

@zeripath commented on GitHub (Apr 22, 2020): I think logging out would be a bit aggressive here - and could lead to denial of service. It might be that issuing a redirect would be more correct however we'd need to look for best practices for csrf tokens (my googlefu is failing me here). If we do want to redirect - we will probably have to change the csrf library to give us the original request back as I think you need that to send a redirect.
Author
Owner

@choucavalier commented on GitHub (Apr 22, 2020):

Side note: this happened to me as I was trying to submit a review on a PR. I spent time writing the review and lost my content when I tried to submit it and got this error. In terms of UX that's pretty bad.

@choucavalier commented on GitHub (Apr 22, 2020): Side note: this happened to me as I was trying to submit a review on a PR. I spent time writing the review and lost my content when I tried to submit it and got this error. In terms of UX that's pretty bad.
Author
Owner

@jolheiser commented on GitHub (Apr 22, 2020):

I also had limited luck when searching this, but I'd imagine a redirect would be preferable if the session itself is still valid.

I think in terms of general usage a redirect would be fine, however when it comes to submitting forms and being able to "save" your work, perhaps it's a good tie in to https://github.com/go-gitea/gitea/issues/11004?

@jolheiser commented on GitHub (Apr 22, 2020): I also had limited luck when searching this, but I'd imagine a redirect would be preferable if the session itself is still valid. I think in terms of general usage a redirect would be fine, however when it comes to submitting forms and being able to "save" your work, perhaps it's a good tie in to https://github.com/go-gitea/gitea/issues/11004?
Author
Owner

@3F commented on GitHub (Apr 22, 2020):

@6543,

Just to be clear, I am not against the way for invalidating token. But I was starting with describing my issue with your Gitea for Firefox https://github.com/go-gitea/gitea/issues/4311#issuecomment-617937199

Where I had sometimes the csrf problem for every ~5 minutes or so. And for the just received "caching problem of Chrome - just delete your cache" [?] I just offer my thoughts that this is not a good idea if I will login again every ~5 minutes. Why I can't just say it? I don't understand.

@zeripath,

What a rude? You're personally insulted me with this!

I think logging out would be a bit aggressive here
... It might be that issuing a redirect would be more correct

This is what I'm talking about.

I am grateful to all the volunteers! I am also open source developer, I know what is this. So please keep calm when your users just asking and sharing their opinions (which by the way we are also spending time for configuring and integrating environment with your products, trusting you)

With regards,

@3F commented on GitHub (Apr 22, 2020): @6543, Just to be clear, I am not against the way for invalidating token. But I was starting with describing my issue with your Gitea for Firefox https://github.com/go-gitea/gitea/issues/4311#issuecomment-617937199 Where I had sometimes the csrf problem for every ~5 minutes or so. And for the just received "caching problem of Chrome - just delete your cache" [[?]](https://github.com/go-gitea/gitea/issues/4311#issuecomment-617979934) I just offer my thoughts that this is not a good idea if I will login again every ~5 minutes. **Why** I can't just say it? I don't understand. @zeripath, What a rude? You're personally insulted me with this! > I think logging out would be a bit aggressive here > ... It might be that issuing a redirect would be more correct This is what I'm talking about. I am grateful to all the volunteers! I am also open source developer, I know what is this. So please keep calm when your users just asking and sharing their opinions (which by the way we are also spending time for configuring and integrating environment with your products, trusting you) With regards,
Author
Owner

@choucavalier commented on GitHub (Apr 22, 2020):

@3F the way you write your messages generates very negative vibes. Apparently I'm not the only one who noticed this. Maybe you should work on your way of communicating your opinions about things. We should all try to be the nicest contributors to work with. :)

@choucavalier commented on GitHub (Apr 22, 2020): @3F the way you write your messages generates very negative vibes. Apparently I'm not the only one who noticed this. Maybe you should work on your way of communicating your opinions about things. We should all try to be the nicest contributors to work with. :)
Author
Owner

@3F commented on GitHub (Apr 22, 2020):

@tgy,

For my I'd prefer spend ~3 sec for just ... That was sarcasm. Do I need more :) smile for it?

But here it is. "sarcasm" was started just because we just received "caching problem of Chrome - just delete your cache". hmm, well, ok. thank you. Right? So I don't see the problems since it was started not by me.

As I said, I just offer my thoughts for the problem that affects for all Gitea users! Nothing more.

@3F commented on GitHub (Apr 22, 2020): @tgy, For my `I'd prefer spend ~3 sec for just ...` That was sarcasm. Do I need more `:)` smile for it? But here it is. "sarcasm" was started *just because* we just received "caching problem of Chrome - just delete your cache". hmm, well, ok. thank you. Right? So I don't see the problems since it was started not by me. As I said, I just offer my thoughts for the problem that affects for all Gitea users! Nothing more.
Author
Owner

@6543 commented on GitHub (Apr 22, 2020):

@3F:
I just read Chrome ... on the original issue (witch was closed) and I know this issue when restarting different gitea versions while working on gitea so my first thought was ... this bad cache thing ... :(

If the csrf error happens regulary, this is sure an issue and is anoying!

In generel we should somehow imprufe wrong csrf request handeling ...

@6543 commented on GitHub (Apr 22, 2020): @3F: I just read Chrome ... on the original issue (witch was closed) and I know this issue when restarting different gitea versions while working on gitea so my first thought was ... this bad cache thing ... :( If the csrf error happens regulary, this is sure an issue and is anoying! In generel we should **somehow** imprufe wrong csrf request handeling ...
Author
Owner

@3F commented on GitHub (Apr 22, 2020):

I just read Chrome ...

And for some reason everyone attacked me just when I started clarify the case for the issue.

@6543,

Nothing worry if you're missing something!
You're doing an amazing job! Thank you!

To the team, please be friendly to users too. I was personally not starting anything offensive at all. Just re-read my comments again. Thus, I was very offended by the words of @zeripath

If the csrf error happens regulary, this is sure an issue and is anoying!

Well, I'm constantly getting this starting with 1.10.3 (when I started use gitea). Currently, I am on 1.11.4. After receiving a new reply to the subscribed issue, I just decided to report about problems for Firefox too.

In generel we should somehow imprufe wrong csrf request handeling ...

Maybe just automate the requesting by mentioned combination as a temporary solution (or some option in admin panel)? It can be really easy to implement. And this could be a good option at least before a normal solution.

What do you think? Thanks!

@3F commented on GitHub (Apr 22, 2020): > I just read Chrome ... And for some reason everyone attacked me just when I started clarify the case for the issue. @6543, Nothing worry if you're missing something! You're doing an amazing job! Thank you! To the team, please be friendly to users too. I was personally not starting anything offensive at all. Just re-read my comments again. Thus, I was very offended by the words of @zeripath > If the csrf error happens regulary, this is sure an issue and is anoying! Well, I'm constantly getting this starting with 1.10.3 (when I started use gitea). Currently, I am on 1.11.4. After receiving a new reply to the subscribed issue, I just decided to report about problems for Firefox too. > In generel we should somehow imprufe wrong csrf request handeling ... Maybe just automate the requesting by mentioned combination as a temporary solution (or some option in admin panel)? It can be really easy to implement. And this could be a good option at least before a normal solution. What do you think? Thanks!
Author
Owner

@silverwind commented on GitHub (Apr 23, 2020):

IMHO, CRSF tokens should just be replaced with SameSite attribute, see https://github.com/go-gitea/gitea/issues/11188.

@silverwind commented on GitHub (Apr 23, 2020): IMHO, CRSF tokens should just be replaced with `SameSite` attribute, see https://github.com/go-gitea/gitea/issues/11188.
Author
Owner

@stale[bot] commented on GitHub (Aug 1, 2020):

This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.

@stale[bot] commented on GitHub (Aug 1, 2020): This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.
Author
Owner

@6543 commented on GitHub (Aug 1, 2020):

I'll close this if fafour of #11188

@6543 commented on GitHub (Aug 1, 2020): I'll close this if fafour of #11188
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#5287