Redisplay login page in case of CSRF error

[PVince81]

A CSRF token can expire if one leaves the login page open for several days.

The PHP session containing the old token would expire, so logging in there would cause a token mismatch.

Currently the page is a full page error with no easy way to go back.

We should change this and detect whenever the CSRF error is from the login page, then simply redisplay the login page with a more user friendly message like "You took too long to login, please try again now".

The "CSRF error" page can be kept for other kinds of errors.

cc @pmaier1 @settermjd

[cdamken]

We should change this and detect whenever the CSRF error is from the login page, then simply redisplay the login page with a more user friendly message like "You took too long to login, please try again now".

We could also add when the csrf error appears where to manually redirect to the login webpage by clicking somewhere in the message.

[pmaier1]

Yes, I also run into this issue all the time. We should improve this. I like @PVince81's approach to automatically redirect a lot. Why should it be one more click with a button? @cdamken

[cdamken]

Why should it be one more click with a button? @cdamken

in case the redirect does not work, users could always force it.

[pmaier1]

in case the redirect does not work, users could always force it.

Ok good point. Other pages have a text saying: "Redirecting to login page in 5 sec. If it does not work, click here"

[cdamken]

and now that we all agree... when would be that done?

[PVince81]

Assigning to @VicDeo for 10.0.5. Let's hope it's not too complicated as it might require editing or hacking the base templates...

[VicDeo]

@PVince81
There is no specific "CSRF error" page. This is just a generic 403 page with the respective message.
It comes from the AppFramework.
https://github.com/owncloud/core/blob/master/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php#L196

Would it be enough to redisplay the login page with "You took too long to login, please try again now" at once without any kind of redirect as this is much simpler?

if($exception instanceof NotLoggedInException) {
	$url = $this->urlGenerator->linkToRoute(
		'core.login.showLoginForm',
		[
			'redirect_url' => urlencode($this->request->server['REQUEST_URI']),
		]
	);
	$response = new RedirectResponse($url);

+ // basically checking $exception/$controller/$methodName
+} elseif (
+		$methodName === 'tryLogin'
+		&& $exception instanceof CrossSiteRequestForgeryException
+		&& $controller instanceof LoginController
+	) {
+         // render a login template 
+         ....
+// the code below - 403 page that includes  CSRF in the current state
} else {
	$response = new TemplateResponse('core', '403', ['file' => $exception->getMessage()], 'guest');
	$response->setStatus($exception->getCode());
}

Otherwise I need to write a JS code with redirect and pass it to the template using the same conditions as above, but it could be slightly more tricky.

[PVince81]

I like your PHP approach better than JS hackery.

[VicDeo]

Done for 10.0.5

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.