No internet connection
  1. Home
  2. Support

Getting a `No XSRF cookie` response when modifying user name and full name on google signup

By Sandor Turanszky @sandorTuranszky
    2019-04-07 11:10:50.334Z

    Steps to reproduce:

    1. Signup with a fresh Gmail account
    2. Once redirected to the form where a username and fill name can be updated, make updates and submit the form
    3. See the response
    403 Forbidden
    No XSRF cookie [DwE7GCV0]
    

    The token is actually sent in the request:

    Happened to me twice:
    The first time I navigated back to the Google popup where once can choose accounts, then chose the account I used to register and turned out I had successfully registered despite the No XSRF cookie response.

    However, the second time I tried to reproduce the bug and after the setps described above I got this message:

    Facebook mobile app problem?
    
    Did you go to here, via Facebook's mobile app? If so, you're likely using Facebook's built-in browser. It makes things break.
    
    Instead, copy the login URL, and log in outside Facebook. (Or outside any other mobile app you're using, if not Facebook?)
    

    And then, when navigating back to the Google popup with available accounts, I get this:

    500 Internal Server Error
    Error when signing in with google: None of the registered handlers can handle the given state item: ItemStructure(csrf-state,{"token":"a7978f52f72118140113a587d1e45941429e70424dc7acf88c31ae8cf9f77b6d8b37fad738979235503d88e251c9dbc9b51ff6ee6157eea8d82dc2f410400e1f394bfc41b91e84b66c88d3e9b356ebe7d017b38515b9ba7378eed996b63e039ea962d44878d830ddc8af35bc482007cb711353ec0567d34452921b67b487aaa8"}) [TyEOAUTH0B]
    
    Stack trace:
    com.mohiva.play.silhouette.api.exceptions.ProviderException: None of the registered handlers can handle the given state item: ItemStructure(csrf-state,{"token":"a7978f52f72118140113a587d1e45941429e70424dc7acf88c31ae8cf9f77b6d8b37fad738979235503d88e251c9dbc9b51ff6ee6157eea8d82dc2f410400e1f394bfc41b91e84b66c88d3e9b356ebe7d017b38515b9ba7378eed996b63e039ea962d44878d830ddc8af35bc482007cb711353ec0567d34452921b67b487aaa8"})
    	at com.mohiva.play.silhouette.impl.providers.DefaultSocialStateHandler.$anonfun$unserialize$2(SocialStateProvider.scala:291)
    	at scala.collection.immutable.List.map(List.scala:286)
    	at com.mohiva.play.silhouette.impl.providers.DefaultSocialStateHandler.$anonfun$unserialize$1(SocialStateProvider.scala:288)
    	at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:307)
    	at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:41)
    	at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:64)
    	at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
    	at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
    	at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23)
    	at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:85)
    	at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
    	at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40)
    	at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:44)
    	at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
    	at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
    	at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
    	at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)
    
    • 3 replies
    1. Progress
      with handling this problem
    2. KajMagnus @KajMagnus2019-04-08 04:42:20.619Z2019-04-08 05:17:53.040Z

      The "No XSRF cookie" error:

      This happens if one logs in / signs up, in two different browser tabs, in parallel. Like so:

      1. Click Log In / Sign Up, in one browser tab.
      2. Click login-with-Google. This sets a cookie dwCoReturnToSiteXsrfToken, and opens a Google login popup.
      3. In another browser tab, in the same browser: Click Log In. This clears the dwCoReturnToSiteXsrfToken cookie.
      4. In the first browser tab, in the Google login popup window: Proceed with logging in to a Google account.

      Now, after you've logged in to the Google account, you'll be redirected back to Talkyard, which compares an XSRF token in the URL, with the dwCoReturnToSiteXsrfToken cookie — however, this cookie is gone. So the server replies:

      No XSRF cookie [DwE7GCV0]
      

      I'm thinking this is not so user friendly. The server could say something about parallel logins not being supported, and to try again.

      The X-XSRF-TOKEN you noticed, is a different cookie, not related to these login steps.

      The "Facebook mobile app problem":

      This happens if one logs in via say Google, but, when the Google login popup is open, closes the Talkyard parent window. Then, when done logging in to Google, and being rediected back to Talkyard, there's an error when Talkyard tries to continue in the Talkyard parent window, ... since that window is gone (closed).

      (This also happens if using Talkyard from inside Facebook's apps.)

      This also doesn't feel so user friendly. Maybe there could be a message like "Did you close the Talkyard window? Please return to Talkyard and try logging in again" or something like that. (In addition to the Facebook Messenger message.)

      The "None of the registered handlers can handle the given state item" error:

      I think this happens if a login window has been opened for too long — then a timeout inside the OpenAuth login library Talkyard uses, deletes things from the cache (for security reasons), and, when one finally submits the login data, then Talkyard no longer knows what to do with it.

      This also doesn't seem so user friendly. Maybe there could be a message like "Has the login window been open for fairly long? Please return to Talkyard and try logging in again"

      (Let me try to reproduce this ... will take about 10 minutes ... for the server to "forget" its internal OAuth state ...) ... 30 min later: Ok yes it's the timeout that deltes the OAuth state. I'm getting the same error: "com.mohiva.play.silhouette.api.exceptions.ProviderException: None of the registered handlers can handle the given state item: ItemStructure(csrf-state,{"token":"7974cb575fb7 .... d1ec9"})".

      1. S
        Sandor Turanszky @sandorTuranszky
          2019-04-08 06:20:22.702Zreplies toKajMagnus:

          I belive this was my case - I had two different browser tabs open. I will check this out to confirm however I clearly rememebr I was logged in in one tab as an admin. So it makes sense.

          1. I've now changed the error message, so it's human friendly: it now says one shouldn't login in two separate tabs in parallel (instead of the weird "No SRF cookie"). I'd think this'll work well enough, and I'll mark this as "Done".

            (Turns out the OpenAuth library Talkyard uses (Silhouette for Play Framework), doesn't support parallel login in two different browser tabs, so there has to be an error message.)

            1. @KajMagnus marked this topic as Done 2019-05-18 10:32:52.701Z.