Closed Bug 864663 Opened 10 years ago Closed 10 years ago

CSRF failure on stage after confirming PIN to make a purchase


(Marketplace Graveyard :: Payments/Refunds, defect, P1)



(Not tracked)



(Reporter: kumar, Assigned: kumar)




(3 files)

Attached file csrf-http.log
- purchase app
- enter new email
- enter PIN
- confirm PIN

This doesn't happen after flashing and does not always happen. Attached is a log that shows HTTP requests/responses
This is on stage only
Summary: CSRF failure after confirming PIN to make a purchase → CSRF failure on stage after confirming PIN to make a purchase
Attached file csrf-http2.log
Attached image screenshot.png
New evidence: this happens in relation to specific persona emails. David kept seeing a CSRF even after re-flashing. When he switched persona emails it worked. I added a new http log with his failure.
andy, please don't hate me :)
Assignee: nobody → amckay
Assignee: amckay → nobody
How often do you see this?  Any more you can tell us?
pretty often.  Happened to me about 5 times yesterday.  Kumar reflashed my phone and I needed to create a new persona account to fix.  Happened also to others.  So this is a very high priority.  If there are further logs we can capture here, let us know.
I have rebooted my phone and still had this problem
We've only ever seen this on the stage site and I can't find any problem with the HTML form. Perhaps one machine in the server cluster isn't set up for sessions right or something like that. At first we thought it was related to specific persona accounts but that may not be true.
Sessions are all cookie based now.  If you have something you want to test specifically let's CC Jason, I'm just not sure what to ask him based on comment 10
they aren't cookie based on webpay. They're still memcache in webpay which I think is the reason why it's failing on stage (more nodes). Jason and I are looking at it.
Assignee: nobody → kumar.mcmillan
Priority: -- → P1
Target Milestone: --- → 2013-04-25
thanks jason! From IRC, this was the issue:

jason: for stage we have two memcached hosts
jason: one of the memcached nodes kept restarting the memcached service
Closed: 10 years ago
Resolution: --- → FIXED
cookie sessions (bug 871850) should prevent this from happening in the future
You need to log in before you can comment on or make changes to this bug.