Invalid csrf token

[GoodERPJeff]

• Gitea version (or commit ref):1.4.2
• Git version:2.17
• Operating system:
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • [ x] No
  • Not relevant
• Log gist:

Description

...
repo setting, uncheck the pull request options, save.

show blank page with " Invalid csrf token."

Screenshots

[GoodERPJeff]

This happen on Chrome, but I change to firefox, settings are successfully saved.

I may close this issue and keep tracking.

[gruo]

Happened to me while trying to comment on an still open issue. I had two tabs of this particular gitea instance open, which pointed to different repositories.

After going to issues home and opening the same issue and commenting afterwards the problem disappered and the comment was added.

[bohwaz]

Same issue as @gruo, the page was in my browser cache, when I tried to submit it just showed this message.

It would be good to just show the page again and ask the user to re-submit!

[choucavalier]

I think this is still an issue. Gitea should work on all browsers. This happened to me on the qutebrowser.

[3F]

Same here with Firefox for issue tracker. I'm already used to the following combination: Backspace + F5 + click button again. But actually too many a broken csrf that I was seeing at least for 1.10.3, 1.11.0 - 1.11.4

[6543]

this is a caching problem of Chrome - just delete your cache

[choucavalier]

@6543 i don't think it's valid to just discard this issue by saying "Chrome is the problem". i personally don't have any issue with other websites i'm using that definitely use csrf tokens

[6543]

I would still say this is a feature request: #11182

you dont have to clean the cache you can logout and login afterwards to fix this

[3F]

@6543

1. I think I mentioned exactly Firefox. Why Chrome?
2. Why "detect and "logout" on old csrf token [Feature] detect and "logout" on old csrf token #11182" ? If I am still authorized ! I can easily interact with gitea after F5 (on the contrary, cache helps to restore missing data)

Moreover, token problems sometime appears every ~5/10 minutes. What I should to do after your amazing #11182 ? login after each ~5 minutes? If so, please leave it as is.

Sorry, but I'd prefer spend ~3 sec for just Backspace + F5 + click button again instead of your login/pass <_<

[zeripath]

@3F this reads a little rude. @6543 is a volunteer like all of us here and has put a lot of hours in to make this project better overall.

Generally I'd argue against logging out here - you could be denied service that way - issuing a redirect may be better however there should be a document somewhere stating the recommended practice but my googlefu is failing me.

If we end up wanting to issue a redirect we will need to change the csrf library to give us access to the request in the errorfunc so we can send a proper redirect.

[3F]

@zeripath

this reads a little rude.

?? I'm sorry, but what and where I said "little rude"?

I simply shared about my problem where each ~5 minutes is invalid token and proposed logout for this method is just not a good idea. Isn't it?

Or I can not offer my thoughts for this project?! I'm sorry, I didn’t know that here is so severe censorship for this project o_o

[techknowlogick]

I've locked this ticket as it has been closed since 2018. @6543 took the right approach to open a new ticket. An invalid token should not be treated as valid, as otherwise that is a security issue.