Re: [Django] #26201: Document the consequences of rotating the CSRF token on login

[Django]

#26201: Document the consequences of rotating the CSRF token on login
--+
 Reporter:  wimfeijen |Owner:  vehrlich
 Type:  Cleanup/optimization  |   Status:  closed
Component:  Documentation |  Version:  1.8
 Severity:  Normal|   Resolution:  fixed
 Keywords:| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+

Comment (by Tim Graham ):

 In [changeset:"147f9a0d2a31a90df413158ecaa7778a1f21e281" 147f9a0d]:
 {{{
 #!CommitTicketReference repository=""
 revision="147f9a0d2a31a90df413158ecaa7778a1f21e281"
 [1.9.x] Fixed #26201 -- Documented the consequences of rotating the CSRF
 token on login.

 Backport of 369fa471f46cd517edf5fc82e4ef6138de3cff6 from master
 }}}

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.dc9a677e21f76fd12a506e39c5c7b3b1%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #26201: Document the consequences of rotating the CSRF token on login

[Django]

#26201: Document the consequences of rotating the CSRF token on login
--+
 Reporter:  wimfeijen |Owner:  vehrlich
 Type:  Cleanup/optimization  |   Status:  closed
Component:  Documentation |  Version:  1.8
 Severity:  Normal|   Resolution:  fixed
 Keywords:| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+
Changes (by Tim Graham ):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 In [changeset:"369fa471f46cd517edf5fc82e4ef6138de3cff6e" 369fa47]:
 {{{
 #!CommitTicketReference repository=""
 revision="369fa471f46cd517edf5fc82e4ef6138de3cff6e"
 Fixed #26201 -- Documented the consequences of rotating the CSRF token on
 login.
 }}}

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.18d5253995faf9ae0e11dafec9786dbc%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #26201: Document the consequences of rotating the CSRF token on login

[Django]

#26201: Document the consequences of rotating the CSRF token on login
--+
 Reporter:  wimfeijen |Owner:  vehrlich
 Type:  Cleanup/optimization  |   Status:  assigned
Component:  Documentation |  Version:  1.8
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+

Comment (by timgraham):

 [https://github.com/django/django/pull/6391 PR]

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.1e8825676ddf50ad91973efa30a624ce%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #26201: Document the consequences of rotating the CSRF token on login

[Django]

#26201: Document the consequences of rotating the CSRF token on login
--+
 Reporter:  wimfeijen |Owner:  vehrlich
 Type:  Cleanup/optimization  |   Status:  assigned
Component:  Documentation |  Version:  1.8
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+
Changes (by vehrlich):

 * has_patch:  0 => 1


--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.fbdc5cbf24408c2fc3a1f3c1c55a509d%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #26201: Document the consequences of rotating the CSRF token on login

[Django]

#26201: Document the consequences of rotating the CSRF token on login
--+
 Reporter:  wimfeijen |Owner:  vehrlich
 Type:  Cleanup/optimization  |   Status:  assigned
Component:  Documentation |  Version:  1.8
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+
Changes (by vehrlich):

 * status:  new => assigned
 * owner:  nobody => vehrlich


--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.f32e48a5277938e34926a160e6871d17%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #26201: Document the consequences of rotating the CSRF token on login

[Django]

#26201: Document the consequences of rotating the CSRF token on login
--+
 Reporter:  wimfeijen |Owner:  nobody
 Type:  Cleanup/optimization  |   Status:  new
Component:  Documentation |  Version:  1.8
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+

Comment (by collinanderson):

 This happens to my users pretty frequently for whatever reason (possibly
 the back button is involved). Reloading the POST request doesn't fix it,
 because it will re-POST the old csrf token. The user needs to press back,
 reload (GET) the page, and then re-submit the form.

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.e55d3208bb96c6000c21432f9a2594b7%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #26201: Document the consequences of rotating the CSRF token on login

[Django]

#26201: Document the consequences of rotating the CSRF token on login
--+
 Reporter:  wimfeijen |Owner:  nobody
 Type:  Cleanup/optimization  |   Status:  new
Component:  Documentation |  Version:  1.8
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+
Changes (by zachborboa):

 * cc: zachborboa@… (added)


--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.e5fdfe7352d37d2d21b587b3a01a8292%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #26201: Document the consequences of rotating the CSRF token on login

[Django]

#26201: Document the consequences of rotating the CSRF token on login
--+
 Reporter:  wimfeijen |Owner:  nobody
 Type:  Cleanup/optimization  |   Status:  new
Component:  Documentation |  Version:  1.8
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+

Comment (by wimfeijen):

 Hi thanks Aymeric and Tim for your quick response and reference!

 My additional proposal would be to change the wording of the error message
 to something an end-user would understand, for example:

 Access forbidden (403 error)

 Please reload the page to try again.

 Your request was aborted due to a CSRF verification failure.

 Please report to the site's administrator if the problem persists.

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.3b41535489707ba065b0fdb356c276d2%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #26201: Document the consequences of rotating the CSRF token on login (was: CSRF verification failed. Request aborted. screen is shown to end users)

[Django]

#26201: Document the consequences of rotating the CSRF token on login
--+
 Reporter:  wimfeijen |Owner:  nobody
 Type:  Cleanup/optimization  |   Status:  new
Component:  Documentation |  Version:  1.8
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+
Changes (by timgraham):

 * type:  Uncategorized => Cleanup/optimization
 * stage:  Unreviewed => Accepted
 * component:  Uncategorized => Documentation


Comment:

 As for how to customize the CSRF error page,
 [https://docs.djangoproject.com/en/dev/ref/csrf/#rejected-requests see the
 docs].

 I'll accept this ticket to add an FAQ to the list started in #26165. In
 his security talk at [https://opbeat.com/events/duth/ Django Under the
 Hood 2015], Florian said rotating the token on login "is a security
 feature and won't change."

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.b684fa5c1056f4af83e9895d740fee40%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.