Frequent XSRF errors
Starting about a week ago, I'm seeing a lot of errors about incorrect XSRF tokens on both mtlynch.io and forum.tinypilotkvm.com. I've seen it happen a few times when I click a link from an email notification, and reply to the comment.
I just saw the error when replying to this comment:
https://mtlynch.io/freelancer-guidelines/#comment-6
But strangely, the comment posted anyway without me having to resubmit or reload.
KajMagnus @KajMagnus2024-01-13 16:04:31.659ZLast Thursday (Jan 11, two days ago) I upgraded the server with a change that renames an XSRF cookie to
TyCoXsrf— I tried to make this backwards compatible (looking at the old cookie as a fallback) but maybe I overlooked something. (Hmm that's not a week ago though)Is what happens that you get an error dialog in the blog comments
<iframe>? Something like this?
If so, seems I can reproduce the error.
Right now, I think it happens only to people who have an old
XSRF-TOKENcookie, but that "new" people, who visit one's blog to post a comment, but haven't done that before, won't run into the problem.I'll continue having a look ...
Michael Lynch @michael(Hmm that's not a week ago though)
Yeah, I don't recall the exact timing. Maybe it only started two days ago.
Is what happens that you get an error dialog in the blog comments ? Something like this?
Yep! That looks like the error I've been getting.
KajMagnus @KajMagnus2024-01-13 19:47:19.762ZOk, now I think I've found the problem: I forgot that the browser side code sometimes reads the cookie value. So, the browser side code should probably also fallback to the old cookie name & value.
This should be an error that happens almost only to admins — namely to people who 1) have interacted enough with the iframe, for the browser to decide to include cookies (they tend to not do that, because of their tracking prevention). And who 2) has that old
XSRF-TOKENcookie (most of them probably do).Anyway, I'll fix in the upcoming version some time next week (how does that sound?)
- KajMagnus @KajMagnus2024-01-13 20:13:45.573Z
Oh but this can happen not only in
<iframe>s but in forums as well (like you wrote, I noticed now) — then I should probably build a new server now soon and fix this- Michael Lynch @michael
Sure, that sounds good. Any updates on progress?
- KajMagnus @KajMagnus2024-01-22 15:47:42.490Z
Yes, a new server later this week. I've fixed it, plus some other a bit related security things as well. A bit code review remains & building a new server
(Sorry for the delay. I think that it happens at most once in the forum (for each old user), and, for blog comments, only for admins & people who have commented somewhat frequently before)
- In reply tomichael⬆:KajMagnus @KajMagnus2024-01-28 10:11:19.327Z2024-01-28 10:45:02.305Z
Now this hopefully fixed — I've upgraded the server here at Ty .io. I'll upgrad Prod tomorrow (if all seems fine). (Took a little bit longer than I thought with code review & fixing broken tests.)
Everyone gets logged out from everywhere — all cookie names have changed (now there's a
__Host-prefix). (Cookie with old names aren't deleted (not yet at least), but they're ignored server side.)In browser tabs that are already open, there can still be that annoying XSRF warning once :- (. But disappears after page reload.
(Note to myself: Those tabs run old Javascript (from before the upgrade) which uses old cookie names, and sends an old-XSRF-cookie-value as XSRF token. The server then compares that old-cookie-value, with the value of the new XSRF cookie, but these are different. After page reload, that old Javascript is gone though.)
- Progresswith handling this problem