No internet connection
  1. Home
  2. Support

Frequent XSRF errors

By Michael Lynch @michael
    2024-01-13 02:01:59.755Z

    Starting about a week ago, I'm seeing a lot of errors about incorrect XSRF tokens on both mtlynch.io and forum.tinypilotkvm.com. I've seen it happen a few times when I click a link from an email notification, and reply to the comment.

    I just saw the error when replying to this comment:

    https://mtlynch.io/freelancer-guidelines/#comment-6

    But strangely, the comment posted anyway without me having to resubmit or reload.

    • 7 replies
    1. Last Thursday (Jan 11, two days ago) I upgraded the server with a change that renames an XSRF cookie to TyCoXsrf — I tried to make this backwards compatible (looking at the old cookie as a fallback) but maybe I overlooked something. (Hmm that's not a week ago though)

      Is what happens that you get an error dialog in the blog comments <iframe>? Something like this?

      If so, seems I can reproduce the error.

      Right now, I think it happens only to people who have an old XSRF-TOKEN cookie, but that "new" people, who visit one's blog to post a comment, but haven't done that before, won't run into the problem.

      I'll continue having a look ...

      1. Michael Lynch @michael
          2024-01-13 16:23:58.811Z

          (Hmm that's not a week ago though)

          Yeah, I don't recall the exact timing. Maybe it only started two days ago.

          Is what happens that you get an error dialog in the blog comments ? Something like this?

          Yep! That looks like the error I've been getting.

          1. Ok, now I think I've found the problem: I forgot that the browser side code sometimes reads the cookie value. So, the browser side code should probably also fallback to the old cookie name & value.

            This should be an error that happens almost only to admins — namely to people who 1) have interacted enough with the iframe, for the browser to decide to include cookies (they tend to not do that, because of their tracking prevention). And who 2) has that old XSRF-TOKEN cookie (most of them probably do).

            Anyway, I'll fix in the upcoming version some time next week (how does that sound?)

            1. Oh but this can happen not only in <iframe>s but in forums as well (like you wrote, I noticed now) — then I should probably build a new server now soon and fix this

              1. Michael Lynch @michael
                  2024-01-22 15:25:31.862Z

                  Sure, that sounds good. Any updates on progress?

                  1. Yes, a new server later this week. I've fixed it, plus some other a bit related security things as well. A bit code review remains & building a new server

                    (Sorry for the delay. I think that it happens at most once in the forum (for each old user), and, for blog comments, only for admins & people who have commented somewhat frequently before)

          2. In reply tomichael:
            KajMagnus @KajMagnus2024-01-28 10:11:19.327Z2024-01-28 10:45:02.305Z

            Now this hopefully fixed — I've upgraded the server here at Ty .io. I'll upgrad Prod tomorrow (if all seems fine). (Took a little bit longer than I thought with code review & fixing broken tests.)

            Everyone gets logged out from everywhere — all cookie names have changed (now there's a __Host- prefix). (Cookie with old names aren't deleted (not yet at least), but they're ignored server side.)

            In browser tabs that are already open, there can still be that annoying XSRF warning once :- (. But disappears after page reload.

            (Note to myself: Those tabs run old Javascript (from before the upgrade) which uses old cookie names, and sends an old-XSRF-cookie-value as XSRF token. The server then compares that old-cookie-value, with the value of the new XSRF cookie, but these are different. After page reload, that old Javascript is gone though.)

            1. Progress
              with handling this problem
            2. @KajMagnus marked this topic as Started 2024-01-13 16:07:42.825Z.