Bug #10577
closed
ERF42-4995 - Invalid authenticity token (Session timed out at login screen)
Description
Steps to reproduce...
- Open the Foreman Login screen
- Wait a long time (overnight?) for the session to time out [1]
- Try to login
- ERROR
[1] - NOTE: I produced this during a chrome upgrade (per script below) last night, then tried to login this morning.
...
Expected Result: Session timed out, back to the login screen again (similar to when the session times out in other parts of the app)
Actual Result: ERF42-4995 [Foreman::Exception]: Invalid authenticity token (500 error)
IRC:
[08:23] <TommyTheKid> Bug or feature? - I "updated chrome" last night, and my foreman screen was sitting at the login. I entered my details, and clicked Login, and got an error that looked a lot like a "500" error Invalid Authenticity Token
[08:23] <Dominic> likely a feature, your session probably timed out
[08:23] <TommyTheKid> There shouldn't be any token "before" I login?
[08:24] <Dominic> there is, every form, including the login form has a token and you even have a session before logging in, which the token's stored in, so it was probably just that
[08:24] <Dominic> (to stop cross site posting attacks)
[08:24] <TommyTheKid> should it be handled cleaner than a 500 error?
[08:25] <Dominic> yeah, I'd accept that :)
[08:25] <Dominic> "go back and refresh, try again"
[08:26] <TommyTheKid> it seems like it only happens at the login screen, otherwise everything else dumps me back to the login screen
[08:27] <TommyTheKid> very niche case, but just a UX thing that I thought I would ask about
[08:28] <Dominic> TommyTheKid: hm yeah, I suppose if your session expired on another page then you may hit the session check before the token authenticity check, hence the redirect. good spot
...
[08:31] <Dominic> TommyTheKid: #6999 originally introduced it, btw
Updated by Dominic Cleal almost 9 years ago
I wonder if leaving the session_expiry filter enabled on the login page would be enough to make this work properly. Currently it's disabled: https://github.com/theforeman/foreman/blob/1.8.0/app/controllers/users_controller.rb#L6
Updated by Tommy McNeely almost 9 years ago
Trace:
Foreman::Exception
ERF42-4995 [Foreman::Exception]: Invalid authenticity token
app/controllers/application_controller.rb:376:in `handle_unverified_request'
lib/middleware/catch_json_parse_errors.rb:9:in `call'
Updated by Tommy McNeely almost 9 years ago
I just realized that it may be more than a simple session timeout.... still not sure what the best way to handle it is though.
New Steps to reproduce:
- Open the foreman login screen in more than one tab/window (in Chrome)
- (not sure if this is required) - Leave them overnight
- Open a new foreman tab (for example clicking on a host in the email report)
- Login there, view report
- Switch back to the other tabs (that were left last night) and try to login to foreman.
Now its getting even more niche case?
Updated by Dominic Cleal almost 9 years ago
Makes a bit more sense now, probably not the session expiry versus token order in this case.
It's likely that both tabs were part of the same session - Chrome would've used the session cookie from the new tab when submitting the old tab, but since the form was old, it had an old token in there.
Foreman's doing the right thing in preventing it, but it could simply redirect the user back, or show a nicer error page to suggest what might have happened (either somebody being attacked, or an innocent "go back and try again").
Updated by The Foreman Bot over 3 years ago
- Status changed from New to Ready For Testing
- Assignee set to Tomer Brisker
- Pull request https://github.com/theforeman/foreman/pull/7832 added
Updated by Tomer Brisker over 3 years ago
- Status changed from Ready For Testing to Closed
Applied in changeset e0d14b3c85cee8bff0646a2815743278b718a05f.
Updated by The Foreman Bot over 3 years ago
- Pull request https://github.com/theforeman/foreman/pull/7975 added
Updated by Shira Maximov about 3 years ago
- Bugzilla link changed from 1840166 to 1868303